Permalink
Browse files

XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue #17725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes #17780 (CVE-2014-8598)
  • Loading branch information...
dregad committed Oct 17, 2014
1 parent bed19db commit 80a15487cda89afb00ce866da8e24d76808dcdb4
@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
function register( ) {
$this->name = plugin_lang_get( 'title' );
$this->description = plugin_lang_get( 'description' );
$this->page = '';
$this->page = "config_page";
$this->version = '1.0';
$this->requires = array(
@@ -54,6 +54,17 @@ function register( ) {
/**
* Default plugin configuration.
*/
public function config() {
return array(
"import_threshold" => ADMINISTRATOR,
"export_threshold" => DEVELOPER,
);
}
/**
* Plugin hooks
* @return array
*/
function hooks( ) {
$hooks = array(
'EVENT_MENU_MANAGE' => 'import_issues_menu',
@@ -67,6 +78,9 @@ function import_issues_menu( ) {
}
function export_issues_menu( ) {
if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
return array();
}
return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
}
@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
$s_plugin_XmlImportExport_import = 'Import issues';
$s_plugin_XmlImportExport_export = 'XML Export';
$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
$s_plugin_XmlImportExport_import_threshold = 'Import issues';
$s_plugin_XmlImportExport_export_threshold = 'Export issues';
$s_plugin_XmlImportExport_action_update = 'Update';
$s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
$s_plugin_XmlImportExport_import_options = 'Import options';
$s_plugin_XmlImportExport_cross_references = 'Cross references';
@@ -0,0 +1,27 @@
<?php
# Copyright (c) 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net
# Licensed under the MIT license
form_security_validate( 'plugin_XmlImportExport_config' );
access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
/**
* Sets plugin config option if value is different from current/default
* @param string $p_name option name
* @param string $p_value value to set
* @return void
*/
function config_set_if_needed( $p_name, $p_value ) {
if ( $p_value != plugin_config_get( $p_name ) ) {
plugin_config_set( $p_name, $p_value );
}
}
$t_redirect_url = plugin_page( 'config_page', true );
config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
form_security_purge( 'plugin_XmlImportExport_config' );
print_successful_redirect( $t_redirect_url );
@@ -0,0 +1,48 @@
<?php
# Copyright (c) 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net
# Licensed under the MIT license
access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
html_page_top();
//print_manage_menu();
?>
<br />
<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
<table class="width60" align="center">
<tr>
<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
</tr>
<tr <?php echo helper_alternate_class() ?>>
<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
<td><select name="import_threshold"><?php
print_enum_string_option_list(
'access_levels',
plugin_config_get( 'import_threshold' )
);
?></select></td>
</tr>
<tr <?php echo helper_alternate_class() ?>>
<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
<td><select name="export_threshold"><?php
print_enum_string_option_list(
'access_levels',
plugin_config_get( 'export_threshold' )
);
?></select></td>
</tr>
<tr>
<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
</tr>
</table>
</form>
<?php
html_page_bottom();
@@ -20,6 +20,8 @@
require_once( 'core.php' );
access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
auth_ensure_user_authenticated( );
helper_begin_long_process( );
@@ -14,6 +14,8 @@
# You should have received a copy of the GNU General Public License
# along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
auth_reauthenticate( );
html_page_top( plugin_lang_get( 'import' ) );

0 comments on commit 80a1548

Please sign in to comment.