Skip to content

Commit 80a1548

Browse files
committed
XML plugin: Add config page with access thresholds
Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue #17725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes #17780 (CVE-2014-8598)
1 parent bed19db commit 80a1548

File tree

6 files changed

+101
-1
lines changed

6 files changed

+101
-1
lines changed

Diff for: plugins/XmlImportExport/XmlImportExport.php

+15-1
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
3939
function register( ) {
4040
$this->name = plugin_lang_get( 'title' );
4141
$this->description = plugin_lang_get( 'description' );
42-
$this->page = '';
42+
$this->page = "config_page";
4343

4444
$this->version = '1.0';
4545
$this->requires = array(
@@ -54,6 +54,17 @@ function register( ) {
5454
/**
5555
* Default plugin configuration.
5656
*/
57+
public function config() {
58+
return array(
59+
"import_threshold" => ADMINISTRATOR,
60+
"export_threshold" => DEVELOPER,
61+
);
62+
}
63+
64+
/**
65+
* Plugin hooks
66+
* @return array
67+
*/
5768
function hooks( ) {
5869
$hooks = array(
5970
'EVENT_MENU_MANAGE' => 'import_issues_menu',
@@ -67,6 +78,9 @@ function import_issues_menu( ) {
6778
}
6879

6980
function export_issues_menu( ) {
81+
if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
82+
return array();
83+
}
7084
return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
7185
}
7286

Diff for: plugins/XmlImportExport/lang/strings_english.txt

+7
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
3535
$s_plugin_XmlImportExport_import = 'Import issues';
3636
$s_plugin_XmlImportExport_export = 'XML Export';
3737

38+
$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
39+
$s_plugin_XmlImportExport_import_threshold = 'Import issues';
40+
$s_plugin_XmlImportExport_export_threshold = 'Export issues';
41+
42+
$s_plugin_XmlImportExport_action_update = 'Update';
43+
3844
$s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
45+
3946
$s_plugin_XmlImportExport_import_options = 'Import options';
4047

4148
$s_plugin_XmlImportExport_cross_references = 'Cross references';

Diff for: plugins/XmlImportExport/pages/config.php

+27
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
<?php
2+
# Copyright (c) 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net
3+
# Licensed under the MIT license
4+
5+
form_security_validate( 'plugin_XmlImportExport_config' );
6+
access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
7+
8+
/**
9+
* Sets plugin config option if value is different from current/default
10+
* @param string $p_name option name
11+
* @param string $p_value value to set
12+
* @return void
13+
*/
14+
function config_set_if_needed( $p_name, $p_value ) {
15+
if ( $p_value != plugin_config_get( $p_name ) ) {
16+
plugin_config_set( $p_name, $p_value );
17+
}
18+
}
19+
20+
$t_redirect_url = plugin_page( 'config_page', true );
21+
22+
config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
23+
config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
24+
25+
form_security_purge( 'plugin_XmlImportExport_config' );
26+
27+
print_successful_redirect( $t_redirect_url );

Diff for: plugins/XmlImportExport/pages/config_page.php

+48
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
<?php
2+
# Copyright (c) 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net
3+
# Licensed under the MIT license
4+
5+
access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
6+
7+
html_page_top();
8+
//print_manage_menu();
9+
?>
10+
11+
<br />
12+
<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
13+
<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
14+
<table class="width60" align="center">
15+
16+
<tr>
17+
<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
18+
</tr>
19+
20+
<tr <?php echo helper_alternate_class() ?>>
21+
<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
22+
<td><select name="import_threshold"><?php
23+
print_enum_string_option_list(
24+
'access_levels',
25+
plugin_config_get( 'import_threshold' )
26+
);
27+
?></select></td>
28+
</tr>
29+
30+
<tr <?php echo helper_alternate_class() ?>>
31+
<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
32+
<td><select name="export_threshold"><?php
33+
print_enum_string_option_list(
34+
'access_levels',
35+
plugin_config_get( 'export_threshold' )
36+
);
37+
?></select></td>
38+
</tr>
39+
40+
<tr>
41+
<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
42+
</tr>
43+
44+
</table>
45+
</form>
46+
47+
<?php
48+
html_page_bottom();

Diff for: plugins/XmlImportExport/pages/export.php

+2
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@
2020

2121
require_once( 'core.php' );
2222

23+
access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
24+
2325
auth_ensure_user_authenticated( );
2426
helper_begin_long_process( );
2527

Diff for: plugins/XmlImportExport/pages/import.php

+2
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@
1414
# You should have received a copy of the GNU General Public License
1515
# along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
1616

17+
access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
18+
1719
auth_reauthenticate( );
1820

1921
html_page_top( plugin_lang_get( 'import' ) );

0 commit comments

Comments
 (0)