Permalink
Browse files

XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue #17725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes #17780 (CVE-2014-8598)
  • Loading branch information...
dregad committed Oct 17, 2014
1 parent 8961a66 commit 7d3dd4305a7ec19b351e6e63e823cffa17d40d9a
@@ -34,7 +34,7 @@ class XmlImportExportPlugin extends MantisPlugin {
function register() {
$this->name = plugin_lang_get( 'title' );
$this->description = plugin_lang_get( 'description' );
$this->page = '';
$this->page = "config_page";
$this->version = '1.3.0';
$this->requires = array(
@@ -50,6 +50,17 @@ function register() {
* Default plugin configuration.
* @return array
*/
public function config() {
return array(
"import_threshold" => ADMINISTRATOR,
"export_threshold" => DEVELOPER,
);
}
/**
* Plugin hooks
* @return array
*/
function hooks() {
$t_hooks = array(
'EVENT_MENU_MANAGE' => 'import_issues_menu',
@@ -71,6 +82,9 @@ function import_issues_menu() {
* @return array
*/
function export_issues_menu() {
if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
return array();
}
return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
}
@@ -50,6 +50,12 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
$s_plugin_XmlImportExport_import = 'Import issues';
$s_plugin_XmlImportExport_export = 'XML Export';
$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
$s_plugin_XmlImportExport_import_threshold = 'Import issues';
$s_plugin_XmlImportExport_export_threshold = 'Export issues';
$s_plugin_XmlImportExport_action_update = 'Update';
$s_plugin_XmlImportExport_importing_in_project = 'Importing issues into project: \'%s\'';
$s_plugin_XmlImportExport_import_options = 'Import options';
@@ -0,0 +1,29 @@
<?php
# Copyright (c) 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net
# Licensed under the MIT license
form_security_validate( 'plugin_XmlImportExport_config' );
access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
/**
* Sets plugin config option if value is different from current/default
* @param string $p_name option name
* @param string $p_value value to set
* @return void
*/
function config_set_if_needed( $p_name, $p_value ) {
if ( $p_value != plugin_config_get( $p_name ) ) {
plugin_config_set( $p_name, $p_value );
}
}
$t_redirect_url = plugin_page( 'config_page', true );
html_page_top( null, $t_redirect_url );
config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
form_security_purge( 'plugin_XmlImportExport_config' );
html_operation_successful( $t_redirect_url );
html_page_bottom();
@@ -0,0 +1,63 @@
<?php
# Copyright (c) 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net
# Licensed under the MIT license
access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
html_page_top();
//print_manage_menu();
?>
<br />
<div class="form-container">
<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
<fieldset>
<legend>
<?php echo plugin_lang_get( 'config_title' ) ?>
</legend>
<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
<!-- Import Access Level -->
<div class="field-container">
<label for="import_threshold">
<span><?php echo plugin_lang_get( 'import_threshold' ) ?></span>
</label>
<span class="select">
<select id="import_threshold" name="import_threshold"><?php
print_enum_string_option_list(
'access_levels',
plugin_config_get( 'import_threshold' )
);
?></select>
</span>
<span class="label-style"></span>
</div>
<!-- Export Access Level -->
<div class="field-container">
<label for="export_threshold">
<span><?php echo plugin_lang_get( 'export_threshold' ) ?></span>
</label>
<span class="select">
<select id="export_threshold" name="export_threshold"><?php
print_enum_string_option_list(
'access_levels',
plugin_config_get( 'export_threshold' )
);
?></select>
</span>
<span class="label-style"></span>
</div>
<!-- Update button -->
<div class="submit-button">
<input type="submit" value="<?php echo plugin_lang_get( 'action_update' ) ?>"/>
</div>
</fieldset>
</form>
</div>
<?php
html_page_bottom();
@@ -24,6 +24,8 @@
require_once( 'core.php' );
access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
auth_ensure_user_authenticated( );
helper_begin_long_process( );
@@ -22,6 +22,8 @@
* Import XML Issues Page
*/
access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
auth_reauthenticate( );
html_page_top( plugin_lang_get( 'import' ) );

0 comments on commit 7d3dd43

Please sign in to comment.