[UNIX] SQL Poisoning Vulnerability in Mantis

From: support@securiteam.com
Date: 08/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 21 Aug 2002 14:23:46 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SQL Poisoning Vulnerability in Mantis
------------------------------------------------------------------------

SUMMARY

 <http://mantisbt.sourceforge.net/> Mantis is an Open Source web-based bug
tracking system, written in PHP, which uses the MySQL database server. It
is being actively developed by a small group of developers, and is
considered to be in the beta stage. A security vulnerability in Mantis
allowed malicious users to insert their own SQL statements into existing
SQL statements allowing them to compromise the database's integrity.

DETAILS

Vulnerable systems:
 * Mantis version 0.17.2

Immune systems:
 * Mantis version 0.17.4a
 * Mantis version 0.17.4
 * Mantis version 0.17.3

Older versions of Mantis do not check all user input, especially if they
do not come directly from form fields. This opens up a wide variety of SQL
poisoning (Injection) vulnerabilities on systems without magic_quotes_gpc
enabled. Most of these vulnerabilities are only exploitable in a limited
manner, since it is no longer possible to execute multiple queries using
one call to mysql_query().

There is one query that can be tricked into changing an account's access
level, which means that a malicious user, with an account on the Mantis
installation, can make himself (m/f) an administrator of that Mantis
installation.

Note: Other vulnerabilities, caused by the same lack of input checking,
may exist!

Workaround / Solution:
Mantis 0.17.3 fixes the exploitable query mentioned in section 2. All
users are recommended to upgrade to the latest version, currently 0.17.4.

Since this vulnerability was discovered, coding guidelines have been
changed to ensure that every bit of user input that is fed to SQL queries
is either validated or escaped. Unfortunately, these changes came too late
to be released with Mantis 0.17.3. They have been fixed in CVS, and will
be corrected in 0.18.0.
Users who prefer security to using a tested version are encouraged to use
the CVS version. Version 0.18.0 is currently being wrapped up, but the
release may take a few weeks.

If an upgrade is not possible, Mantis 0.17.2 (and possibly lower) can be
patched to secure the exploitable query:

In account_update.php, insert the following lines somewhere in a PHP block
before the SQL queries are executed:
     $f_username = addslashes($f_username);
     $f_email = addslashes($f_email);

Enabling magic_quotes_gpc in your PHP configuration will also prevent the
problem from being exploitable.

Detailed explanation:
By modifying the username or the email of a Mantis account, it is possible
to change any column of the Mantis user table (mantis_user_table by
default).

This can be done by inserting quotes in the username or email and crafting
the value in such a manner that a valid SQL query results.

For example:
 - The email can be set to: user@server', access_level=90, email='
 - The normal query is:
       UPDATE mantis_user_table
         SET username='$f_username', email='$f_email'
         WHERE id='$f_id'
 - With the specified value for the email field, this becomes:
       UPDATE mantis_user_table
         SET username='someusername', email='user@server',
access_level=90,
email=''
         WHERE id='$f_id'
  This set the access_level column to a value of 90, the internal value
for Administrator.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jlatour@calaquendi.net>
Jeroen Latour.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages