View Issue Details

IDProjectCategoryView StatusLast Update
0023908mantisbtsecuritypublic2018-08-08 17:15
ReporterfoolandtomAssigned Todregad 
PrioritylowSeveritytrivialReproducibilityalways
Status closedResolutionno change required 
Product Version2.10.0 
Target VersionFixed in Version 
Summary0023908: Vendor/adodb/adodb-php/server.php SQL injection
Description

MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql
parameter in a request to the 127.0.0.1 IP address,


[Additional Information]
url:http://127.0.0.1/vendor/adodb/adodb-php/server.php?sql=select+*+from+admin&nrows=10&offset=

code:
if (empty($_REQUEST['sql'])) err('No SQL');

$conn = ADONewConnection($driver);

if (!$conn->Connect($host,$uid,$pwd,$database)) err($conn->ErrorNo(). $sep . $conn->ErrorMsg());
$sql = undomq($_REQUEST['sql']);
address:/adodb/adodb-php/server.php

position:78-84 rows

If there is no configuration, the physical path address is leaked, and the link needs to be opened in 127.0.0.1


[Vulnerability Type]
SQL Injection


[Vendor of Product]
mantisbt


[Affected Product Code Base]
mantisbt - mantisbt-2.10.0


[Attack Type]
Local


[Impact Information Disclosure]
true


[CVE Impact Other]
Leaked physical path


[Attack Vectors]
vendor/adodb/adodb-php/server.php?sql=select+*+from+admin&nrows=10&offset=2


[Discoverer]
shanghaikuangchuang@Tom

Use CVE-2018-6382.


CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJab+NRAAoJEHb/MwWLVhi2OeYQAKcuw88x1+j2TIqkm4sSkzPt
ZjVgtk01teAwTMU5Am8CBV6rMRXkfPciONAdJlnDYISwtUy6iS4IWlwG1tEnbGJl
6JbJAJj6vshZ0+Gffx9hRifGdlyIHSmBan4PBkNnPLPDkMs3dcSAQOFEZXnfoipf
rLsvckL74U1NryRYZQm2d0gEtuCczbFqNf2xiAKmlgZvaJXXjRMsnZ4TDtqMuqQi
O2AbTJmofEux51ER5EmFGIYXrIMZoAoCUuLBz9UIwKEnW9JoF8iTsDbQ2izIMCHJ
QGdAfzdVWY0frwufNiqG1od9JAvcbgoJxT1OVPAIyEPMXGASnxRn8LQiYJRkV4n4
5uGYN6H01Spyn/btvqmkId/gPnncQKI4KLosZhIRWmQehgee3+7ecrj4AkSqGwBd
Bp4KKFmQjRCgzZRFfrA0ZKU96gQbohZz/3kx5T3xQMmy4sHcfscXDsSbiIVpTV/F
gIT+KVeSJdh/L6oqPGnckHyYU3uqpbRpPhFfQCJYhharO54DcthbmjRAPIw+gp8q
y0jnEpSXPYN/b8+k9aqrtkBai17Z7m7aBxF/nDKZ7TxzfKqUJazk4UanqZ26ahWX
28M5TbtzhI0tASXr83pAixelBj1f4Khf4TiWFlAJEDUzbnJlYmrVnVIaovVoloaD
KZQvyj7/4MjMSb6tbIdH
=/j3A
-----END PGP SIGNATURE-----

Steps To Reproduce

url:http://127.0.0.1/vendor/adodb/adodb-php/server.php?sql=select+*+from+admin&nrows=10&offset=

code:
if (empty($_REQUEST['sql'])) err('No SQL');

$conn = ADONewConnection($driver);

if (!$conn->Connect($host,$uid,$pwd,$database)) err($conn->ErrorNo(). $sep . $conn->ErrorMsg());
$sql = undomq($_REQUEST['sql']);
address:/adodb/adodb-php/server.php

position:78-84 rows

If there is no configuration, the physical path address is leaked, and the link needs to be opened in 127.0.0.1


Additional Information

Local execution is required, if no default configuration database will cause path leakage, it is recommended to configure the default error page

TagsNo tags attached.

Relationships

related to 0024192 closeddregad Update ADOdb to 5.20.12 

Activities

dregad

dregad

2018-01-30 05:20

developer   ~0058673

Thanks for the report. A few remarks

  1. We're only users of the ADOdb library, so this would probably best be reported upstream at https://github.com/ADOdb/ADOdb/issues - but since I'm also the maintainer of ADOdb, we might as well continue the discussion here for now.
  2. Due to the localhost IP address restriction, the request needs to be physically run on the server operating the database
  3. Since the purpose of the server.php script is to execute arbitrary queries to begin with, I don't think that SQL injection introduces any additional risk
  4. Successful SQL execution could only occur if (and only if) a connection to the DB server can be established with the settings defined in server.php, i.e. (out of the box):
    $driver = 'mysql';
    $host = 'localhost'; // DSN for odbc
    $uid = 'root';
    $pwd = 'garbase-it-is';
    $database = 'test';

So, while I agree that SQL injection is technically possible, I don't think it can realistically affect MantisBT.

foolandtom

foolandtom

2018-01-30 06:01

reporter   ~0058675

Low impact degree

foolandtom

foolandtom

2018-01-30 06:27

reporter   ~0058676

Existence of injection, low availability

dregad

dregad

2018-01-30 07:35

developer   ~0058679

Your feedback on my earlier note 0023908:0058673 would be appreciated. I don't understand the point of your last 2 comments.

if no default configuration database will cause path leakage, it is recommended to configure the default error page

Fixed in https://github.com/ADOdb/ADOdb/issues/389

dregad

dregad

2018-03-29 11:52

developer   ~0059353

Last edited: 2018-03-29 11:53

View 2 revisions

I asked MITRE to update the CVE, to have it rejected since I don't think it is a vulnerability in MantisBT at all.

dregad

dregad

2018-03-30 16:18

developer   ~0059374

Last edited: 2018-03-30 16:18

View 2 revisions

https://github.com/ADOdb/ADOdb/issues/389 is fixed in ADODb 5.20.12 - 0024192

dregad

dregad

2018-07-30 08:36

developer   ~0060339

ADOdb 5.20.12 has been deployed in MantisBT 2.14.0, fixing the path leakage issue.

With regards to the SQL injection, since it is effectively not possible to exploit it, I will resolve this issue as "no change required".

Issue History

Date Modified Username Field Change
2018-01-30 00:36 foolandtom New Issue
2018-01-30 01:00 atrol Category sql => security
2018-01-30 01:00 atrol View Status public => private
2018-01-30 05:20 dregad Status new => acknowledged
2018-01-30 05:20 dregad Note Added: 0058673
2018-01-30 06:01 foolandtom Note Added: 0058675
2018-01-30 06:27 foolandtom Note Added: 0058676
2018-01-30 07:35 dregad Note Added: 0058679
2018-03-29 11:36 dregad Assigned To => dregad
2018-03-29 11:36 dregad Status acknowledged => assigned
2018-03-29 11:52 dregad Note Added: 0059353
2018-03-29 11:53 dregad Note Edited: 0059353 View Revisions
2018-03-30 16:12 dregad Relationship added related to 0024192
2018-03-30 16:18 dregad Note Added: 0059374
2018-03-30 16:18 dregad Note Edited: 0059374 View Revisions
2018-07-30 08:36 dregad Status assigned => resolved
2018-07-30 08:36 dregad Resolution open => no change required
2018-07-30 08:36 dregad Note Added: 0060339
2018-07-30 08:36 dregad View Status private => public
2018-08-08 17:15 atrol Status resolved => closed