View Issue Details

IDProjectCategoryView StatusLast Update
0008976mantisbtsecuritypublic2008-06-17 02:48
Reporterthraxisp Assigned Togiallu  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.1.1 
Target Version1.1.2Fixed in Version1.1.2 
Summary0008976: Remote Code Execution in adm_config
Description

Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Mantis
Systems Affected Mantis 1.1.1 and possibly earlier versions
Severity
Impact (CVSSv2) (, vector: )
Vendor http://www.mantisbt.org/
Advisory
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date

C) Remote Code Execution Vulnerabilities

Finally we present the most critical vulnerability. A Remote Code Execution vulnerability exists in the software, but it can be exploited only if the attacker has a valid adminitrator account, so it could be ideal if used in conjunction with the previous one. The vulnerability is in the file adm_config_set.php. On row 80 we have the following statement:

eval( '$t_value = ' . $f_value . ';' );

where the $f_value is defined at row 34 of the same file:

$f_value = gpc_get_string( 'value' );

the parameter $f_value is never validated, so we can exploit this issue with the following url wich executes the phpinfo() function:

http://www.example.com/mantis/adm_config_set.php?user_id=0&project_id=0&config_option=cache_config&type=0&value=0;phpinfo()

TagsNo tags attached.

Relationships

parent of 0008980 closedgiallu Port: Remote Code Execution in adm_config 
related to 0009426 closedgiallu Creating the view_issues_page_columns creates a string 

Activities

thraxisp

thraxisp

2008-03-16 20:36

reporter   ~0017382

patch added to SVN (r5121) to hide the change configuration form if the user is below the set_configuration threshold. This should make the issue less accessible until a complete set of configuration controls can be built.

2008-05-28 19:28

 

bug8976.patch (1,792 bytes)   
Index: adm_config_set.php
===================================================================
--- adm_config_set.php	(revision 5297)
+++ adm_config_set.php	(working copy)
@@ -76,10 +76,47 @@
 	} else if ( $t_type === 'integer' ) {
 		$t_value = (integer)$f_value;
 	} else {
-		eval( '$t_value = ' . $f_value . ';' );
+		# We support these kind of variables here:
+		# 1. constant values (like the ON/OFF switches): they are defined as constants mapping to numeric values
+		# 2. simple arrays with the form: array( a, b, c, d )
+		# 3. associative arrays with the form: array( a=>1, b=>2, c=>3, d=>4 )
+		$t_full_string = trim( $f_value );
+		if ( preg_match('/array\((.*)\)/', $t_full_string, $t_match ) === 1 ) {
+			// we have an array here
+			$t_values = split( ',', trim( $t_match[1] ) );
+			foreach ( $t_values as $key => $value ) {
+				$t_split = split ('=>',  $value );
+				if ( count( $t_split ) == 2 ) {
+					// associative array
+					$t_new_key = constant_replace( trim( $t_split[0] ) );
+					$t_new_value = constant_replace( trim( $t_split[1] ) );
+					$t_value[ $t_new_key ] = $t_new_value;
+				}
+				else {
+					// regular array
+					$t_value[ $key ] = constant_replace( trim( $value ) );
+				}
+			}
+		}
+		else {
+			// scalar value
+			$t_value = constant_replace( trim( $t_full_string ) );
+		}
 	}
 
 	config_set( $f_config_option, $t_value, $f_user_id, $f_project_id );
 
 	print_successful_redirect( 'adm_config_report.php' );
-?>
\ No newline at end of file
+
+
+	/** 
+	 * Check if the passed string is a constant and return its value
+	 */
+	function constant_replace( $p_name ) {
+		$t_result = $p_name;
+		if ( is_string( $p_name ) && defined( $p_name ) ) {
+			// we have a constant
+			$t_result = constant( $p_name );
+		}
+		return $t_result;
+	}
bug8976.patch (1,792 bytes)   
giallu

giallu

2008-05-28 19:32

reporter   ~0017932

I think the best fix is to start removing the eval() line, then add back at least a basic subset of what was possible with the eval.

The attached patch was written with this spirit, and adds back support for simple values (including constants interpolation) and arrays (simple and associative)

I'd appreciate a review before committing though.

vboctor

vboctor

2008-05-29 01:19

manager   ~0017935

This seems to be the last security issue that is blocking 1.1.2 release. Once this is done, we can cut the release. There are about 4 other issues that are not critical and can be re-targeted to future 1.1.x release.

giallu

giallu

2008-05-29 05:36

reporter   ~0017941

Fixed in SVN revision 5298

http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5298

giallu

giallu

2008-05-29 05:48

reporter   ~0017942

Removing private status since this is public now, as part of CVE-2008-2276.

Rad Hat reference:
https://bugzilla.redhat.com/show_bug.cgi?id=448410

Related Changesets

MantisBT: master-1.1.x 1f34bc8c

2008-05-29 09:17:49

giallu

Details Diff
Fix 8976: Remote Code Execution in adm_config

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5298 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0008976
mod - adm_config_set.php Diff File

Issue History

Date Modified Username Field Change
2008-03-14 20:24 thraxisp New Issue
2008-03-14 20:24 thraxisp Status new => assigned
2008-03-14 20:24 thraxisp Assigned To => thraxisp
2008-03-16 18:08 thraxisp Issue cloned: 0008980
2008-03-16 18:08 thraxisp Relationship added parent of 0008980
2008-03-16 20:36 thraxisp Note Added: 0017382
2008-05-28 19:28 giallu File Added: bug8976.patch
2008-05-28 19:32 giallu Note Added: 0017932
2008-05-29 01:19 vboctor Note Added: 0017935
2008-05-29 05:16 giallu Assigned To thraxisp => giallu
2008-05-29 05:36 giallu Note Added: 0017941
2008-05-29 05:36 giallu Status @0@ => resolved
2008-05-29 05:36 giallu Fixed in Version => 1.1.2
2008-05-29 05:36 giallu Resolution @0@ => fixed
2008-05-29 05:48 giallu Note Added: 0017942
2008-05-29 05:48 giallu View Status private => public
2008-06-17 02:48 giallu Status @0@ => closed
2008-07-21 18:02 giallu Relationship added related to 0009426
2008-10-20 20:20 Changeset attached master-1.1.x 8c9ba87a =>
2008-11-11 09:03 giallu Changeset attached master-1.1.x 1f34bc8c =>