Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@1259 f5dc347c-c33d-0410-90a0-b07cc1902cb9
- Loading branch information
jlatour
committed
Aug 19, 2002
1 parent
1442cb9
commit 9496961
Showing
5 changed files
with
641 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| [Mantis Advisory/2002-01] SQL poisoning vulnerability in Mantis | ||
|
|
||
| 0. Table of Contents | ||
|
|
||
| 1. Introduction | ||
| 2. Summary / Impact analysis | ||
| 3. Affected versions | ||
| 4. Workaround / Solution | ||
| 5. Detailed explanation | ||
| 6. Contact details | ||
|
|
||
| 1. Introduction | ||
|
|
||
| Mantis is an Open Source web-based bugtracking system, written in PHP, which | ||
| uses the MySQL database server. It is being actively developed by a small | ||
| group of developers, and is considered to be in the beta stage. | ||
|
|
||
| In response to the increased number of users and to the increasing number of | ||
| discovered security vulnerabilities, the Mantis team has decided to start | ||
| releasing advisories for all vulnerabilities in versions higher than 0.17.0. | ||
| This is the first in a series of advisories which cover the previously | ||
| discovered vulnerabilities in greater detail. | ||
|
|
||
| 2. Summary / Impact analysis | ||
|
|
||
| Older versions of Mantis do not check all user input, especially if they do | ||
| not come directly from form fields. This opens up a wide variety of SQL | ||
| poisoning vulnerabilities on systems without magic_quotes_gpc enabled. Most | ||
| of these vulnerabilities are only exploitable in a limited manner, since it | ||
| is no longer possible to execute multiple queries using one call to | ||
| mysql_query(). | ||
|
|
||
| There is one query which can be tricked into changing an account's access | ||
| level, which means that a malicious user, with an account on the Mantis | ||
| installation, can make himself (m/f) an administrator of that Mantis | ||
| installation. This particular vulnerability has been fixed in version | ||
| 0.17.3. | ||
|
|
||
| Other vulnerabilities may exist, which are caused by the same lack of input | ||
| checking. | ||
|
|
||
| 3. Affected versions | ||
|
|
||
| The following versions are known to be affected: | ||
| Mantis 0.17.2 | ||
|
|
||
| The following versions are known to be unaffected: | ||
| Mantis 0.17.4a (*) | ||
| Mantis 0.17.4 (*) | ||
| Mantis 0.17.3 (*) | ||
|
|
||
| The following versions are presumed to be affected: | ||
| All versions below Mantis 0.17.2 | ||
|
|
||
| * = But read the comments in section 2. | ||
|
|
||
| 4. Workaround / Solution | ||
|
|
||
| Mantis 0.17.3 fixes the exploitable query mentioned in section 2. | ||
| All users are recommended to upgrade to the latest version, currently | ||
| 0.17.4. | ||
|
|
||
| Since this vulnerability was discovered, coding guidelines have been changed | ||
| to ensure that every bit of user input that is fed to SQL queries is either | ||
| validated or escaped. Unfortunately, these changes came too late to be | ||
| released with Mantis 0.17.3. They have been fixed in CVS, and will be | ||
| corrected in 0.18.0. | ||
| Users who prefer security over using a tested version are encouraged to use | ||
| the CVS version. 0.18.0 is currently being wrapped up, but the release may | ||
| take a few weeks. | ||
|
|
||
| If an upgrade is not possible, Mantis 0.17.2 (and possibly lower) can be | ||
| patched to secure the exploitable query: | ||
|
|
||
| In account_update.php, insert the following lines somewhere in a PHP block | ||
| before the SQL queries are executed: | ||
| $f_username = addslashes($f_username); | ||
| $f_email = addslashes($f_email); | ||
|
|
||
| Enabling magic_quotes_gpc in your PHP configuration will also prevent the | ||
| problem from being exploitable. | ||
|
|
||
| 5. Detailed explanation | ||
|
|
||
| By modifying the username or the email of a Mantis account, it is possible | ||
| to change any column of the Mantis user table (mantis_user_table by | ||
| default). | ||
|
|
||
| This can be done by inserting quotes in the username or email and crafting | ||
| the value in such a manner that a valid SQL query results. | ||
|
|
||
| For example: | ||
| - The email can be set to: user@server', access_level=90, email=' | ||
| - The normal query is: | ||
| UPDATE mantis_user_table | ||
| SET username='$f_username', email='$f_email' | ||
| WHERE id='$f_id' | ||
| - With the specified value for the email field, this becomes: | ||
| UPDATE mantis_user_table | ||
| SET username='someusername', email='user@server', access_level=90, email='' | ||
| WHERE id='$f_id' | ||
| - This set the access_level column to a value of 90, the internal value | ||
| for Administrator. | ||
|
|
||
| 6. Contact details | ||
|
|
||
| The latest version of Mantis is always available from: | ||
| http://mantisbt.sourceforge.net/ | ||
| The current version is 0.17.4a, which can be downloaded from | ||
| http://mantisbt.sourceforge.net/download.php3 | ||
|
|
||
| If you have any questions about this vulnerability, or wish to report | ||
| another, you can contact the developers at: | ||
| mailto:mantisbt-security@lists.sourceforge.net | ||
| This is a private mailinglist, readable only by a few developers. | ||
|
|
||
| The latest version of this and other advisories can be found at: | ||
| http://mantisbt.sourceforge.net/security.php3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| [Mantis Advisory/2002-02] Limiting output to reporters can be bypassed | ||
|
|
||
| 0. Table of Contents | ||
|
|
||
| 1. Introduction | ||
| 2. Summary / Impact analysis | ||
| 3. Affected versions | ||
| 4. Workaround / Solution | ||
| 5. Detailed explanation | ||
| 6. Contact details | ||
|
|
||
| 1. Introduction | ||
|
|
||
| Mantis is an Open Source web-based bugtracking system, written in PHP, which | ||
| uses the MySQL database server. It is being actively developed by a small | ||
| group of developers, and is considered to be in the beta stage. | ||
|
|
||
| In response to the increased number of users and to the increasing number of | ||
| discovered security vulnerabilities, the Mantis team has decided to start | ||
| releasing advisories for all vulnerabilities in versions higher than 0.17.0. | ||
| This is the second in a series of advisories which cover the previously | ||
| discovered vulnerabilities in greater detail. | ||
|
|
||
| 2. Summary / Impact analysis | ||
|
|
||
| It is possible to instruct Mantis to show reporters only the bugs that they | ||
| reported, by setting the limit_reporters option to ON. This will | ||
| automatically set the 'reporter' filter on the 'View Bugs' page. | ||
|
|
||
| The information on the 'View Bugs' page was also available in a form | ||
| suitable for printing, by clicking on the 'Print Reports' link on the 'View | ||
| Bugs' page. However this script, print_all_bug_page.php, did not check the | ||
| limit_reporters option and thus allowed reporters to see the summaries of | ||
| bugs they did not report. | ||
|
|
||
| This has been fixed in Mantis 0.17.4. | ||
|
|
||
| 3. Affected versions | ||
|
|
||
| The following versions are known to be affected: | ||
| Mantis 0.17.3 | ||
| Mantis 0.17.2 | ||
| Mantis 0.17.1 | ||
| Mantis 0.17.0 | ||
| Mantis 0.16.1 | ||
| Mantis 0.16.0 | ||
|
|
||
| The following versions are known to be unaffected: | ||
| Mantis 0.17.4a | ||
| Mantis 0.17.4 | ||
| Any version below Mantis 0.16.0 (*) | ||
|
|
||
| * = The 'Print reports' feature did not exist in those versions. | ||
|
|
||
| 4. Workaround / Solution | ||
|
|
||
| Mantis 0.17.4 adds the appropriate permission checks to the 'Print Reports' | ||
| page. | ||
| All users are recommended to upgrade to this version as soon as possible. | ||
|
|
||
| If upgrade is not an option, print_all_bug_page.php can be patched to close | ||
| this vulnerability. | ||
| The following instructions apply to Mantis 0.17.3, and could apply to | ||
| earlier versions: | ||
|
|
||
| In print_all_bug_page.php, after the block of assignments from | ||
| $t_setting_arr, insert the following lines: | ||
| # Limit reporters to only see their reported bugs | ||
| if (( ON == $g_limit_reporters ) && | ||
| ( !access_level_check_greater_or_equal( UPDATER ) )) { | ||
| $f_user_id = get_current_user_field( "id" ); | ||
| } | ||
|
|
||
| 5. Detailed explanation | ||
|
|
||
| No trickery is required to allow a reporter to see the summaries of bugs | ||
| that (s)he did not report. The reporter just has to go to 'View Bugs', click | ||
| on 'Print Reports' and make sure the 'reporter' filter is set to anything | ||
| but his/her own name. | ||
|
|
||
| 6. Contact details | ||
|
|
||
| The latest version of Mantis is always available from: | ||
| http://mantisbt.sourceforge.net/ | ||
| The current version is 0.17.4a, which can be downloaded from | ||
| http://mantisbt.sourceforge.net/download.php3 | ||
|
|
||
| If you have any questions about this vulnerability, or wish to report | ||
| another, you can contact the developers at: | ||
| mailto:mantisbt-security@lists.sourceforge.net | ||
| This is a private mailinglist, readable only by a few developers. | ||
|
|
||
| The latest version of this and other advisories can be found at: | ||
| http://mantisbt.sourceforge.net/security.php3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
| [Mantis Advisory/2002-03] Bug listings of private projects can be viewed | ||
| through cookie manipulation | ||
|
|
||
| 0. Table of Contents | ||
|
|
||
| 1. Introduction | ||
| 2. Summary / Impact analysis | ||
| 3. Affected versions | ||
| 4. Workaround / Solution | ||
| 5. Detailed explanation | ||
| 6. Contact details | ||
|
|
||
| 1. Introduction | ||
|
|
||
| Mantis is an Open Source web-based bugtracking system, written in PHP, which | ||
| uses the MySQL database server. It is being actively developed by a small | ||
| group of developers, and is considered to be in the beta stage. | ||
|
|
||
| In response to the increased number of users and to the increasing number of | ||
| discovered security vulnerabilities, the Mantis team has decided to start | ||
| releasing advisories for all vulnerabilities in versions higher than 0.17.0. | ||
| This is the third in a series of advisories which cover the previously | ||
| discovered vulnerabilities in greater detail. | ||
|
|
||
| 2. Summary / Impact analysis | ||
|
|
||
| In Mantis a user can select a project from a drop-down menu. After | ||
| selection, all bug listings will be limited to that project. | ||
|
|
||
| The 'View Bugs' page, which is responsible for displaying a list of bugs in | ||
| a project, did not check whether the user actually had access to the project | ||
| defined in the cookie. It trusted the fact that only projects accessible to | ||
| the user were listed in the drop-down menu. | ||
|
|
||
| This provides a malicious user with an opportunity to display the 'View | ||
| Bugs' page with a private project selected. This has been fixed in Mantis | ||
| 0.17.4. | ||
|
|
||
| It should be noted that this bug does not allow a user to get any more | ||
| information than is listed in the View Bugs page. The page with more | ||
| information about the bug is not accessible. | ||
| Also, private bugs are still not visible in the list. | ||
|
|
||
| 3. Affected versions | ||
|
|
||
| The following versions are known to be affected: | ||
| Mantis 0.17.3 | ||
|
|
||
| The following versions are known to be unaffected: | ||
| Mantis 0.17.4a | ||
| Mantis 0.17.4 | ||
|
|
||
| The following versions are presumed to be affected: | ||
| Any version below Mantis 0.17.3 | ||
|
|
||
| 4. Workaround / Solution | ||
|
|
||
| Mantis 0.17.4 adds the appropriate permission checks to the 'View Bugs' | ||
| page. | ||
| All users are recommended to upgrade to this version as soon as possible. | ||
|
|
||
| If an upgrade is not an option, view_all_bug_page.php can be patched to add | ||
| the appropriate checks. | ||
| To do so, add the following function to core_user_API.php: | ||
|
|
||
| # Check to see if the current user has access on the specified project | ||
| function check_access_to_project( $p_project_id ) { | ||
| $t_project_view_state = get_project_field( $p_project_id, 'view_state'); | ||
|
|
||
| # Administrators ALWAYS pass. | ||
| if ( get_current_user_field( 'access_level' ) >= ADMINISTRATOR ) { | ||
| return; | ||
| } | ||
|
|
||
| # public project accept all users | ||
| if ( PUBLIC == $t_project_view_state ) { | ||
| return; | ||
| } else { | ||
| # private projects require users to be assigned | ||
| $t_project_access_level = get_project_access_level( $p_project_id ); | ||
| # -1 means not assigned, kick them out to the project selection screen | ||
| if ( -1 == $t_project_access_level ) { | ||
| print_header_redirect( 'login_select_proj_page.php' ); | ||
| } else { # passed | ||
| return; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| And in view_all_bug_page.php, replace the following lines: | ||
| $t_where_clause .= ')'; | ||
| } | ||
| } else { | ||
| $t_where_clause = " WHERE project_id='$g_project_cookie_val'"; | ||
| } | ||
| # end project selection | ||
|
|
||
| with the following lines: | ||
| $t_where_clause .= ')'; | ||
| } | ||
| } else { | ||
| check_access_to_project($g_project_cookie_val); | ||
| $t_where_clause = " WHERE project_id='$g_project_cookie_val'"; | ||
| } | ||
| # end project selection | ||
|
|
||
| 5. Detailed explanation | ||
|
|
||
| To take advantage of this vulnerability, the attacker would need to know the | ||
| project_id of the private project he wishes to attack. This is not terribly | ||
| difficult to accomplish, as the project_id starts at 1 and increases by one | ||
| for every project created. The attacker can just try each integer starting | ||
| at 1, until (s)he finds the one (s)he's looking for. | ||
|
|
||
| The next step is to log in to Mantis at least once, so that the | ||
| MANTIS_PROJECT_COOKIE, or however the cookie is called in that particular | ||
| set-up, is set. The user can then manually change the cookie locally, and | ||
| fill in the desired project_id. Now all the user has to do is visit | ||
| /view_all_bug_page.php, and the list of public bugs in that project should | ||
| be displayed. | ||
|
|
||
| An alternative method is by forging the HTTP headers, to send the desired | ||
| cookie value with a request for /view_all_bug_page.php. The results are the | ||
| same. | ||
|
|
||
| 6. Contact details | ||
|
|
||
| The latest version of Mantis is always available from: | ||
| http://mantisbt.sourceforge.net/ | ||
| The current version is 0.17.4a, which can be downloaded from | ||
| http://mantisbt.sourceforge.net/download.php3 | ||
|
|
||
| If you have any questions about this vulnerability, or wish to report | ||
| another, you can contact the developers at: | ||
| mailto:mantisbt-security@lists.sourceforge.net | ||
| This is a private mailinglist, readable only by a few developers. | ||
|
|
||
| The latest version of this and other advisories can be found at: | ||
| http://mantisbt.sourceforge.net/security.php3 |
Oops, something went wrong.