[UNIX] Mantis Bug Tracker Multiple Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 08/22/04
- Previous message: SecuriTeam: "[UNIX] PHP-FUSION Various Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Aug 2004 17:24:17 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mantis Bug Tracker Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.mantisbt.org/> Mantis is "a web-based bug tracking system. It
is written in the PHP scripting language and requires the MySQL database
and a web server".
The Mantis bug tracking system suffers from multiple security issues
mainly due to improper input validation. Hence, cross-site scripting and
even PHP code execution are possible through this system.
DETAILS
Vulnerable Systems:
* Mantis version 0.18.3
Immune Systems:
* Mantis version 0.19.0a2 (Alpha) from CVS
* The 'return' parameter in the login_page.php script are not properly
* Another XSS vulnerability can be found in the signup.php script (ex.:
* The 'Select Project' script is also vulnerable to a cross site
* Cross site scripting vulnerability in the 'view_all_set.php', example
In addition to the multiple cross-site scripting vulnerabilities, it is
Exploit:
//Please, change it becuase is my e-mail :)
for ($i=0;$i<=15;$i++)
?>
Finally, there is also a remote PHP code execution in the system. If the
Vendor Status:
ADDITIONAL INFORMATION
The information has been provided by <mailto:joxeankoret@yahoo.es> Joxean
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
sanitized and allow a malicious user to input malicious content. It is
possible to login anonymously and in order to perform a privileged action,
login as a registered user. The previous URL is passed as the return
parameter and through it, any HTML or script code can be injected. An
example for the XSS vulnerability:
http://
%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E
%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr
<http://bugs.mantisbt.org/signup.php>
http://bugs.mantisbt.org/signup.php). The Email address field is not
properly sanitized and will allow dangerous content to be passed. One can
put the following into the Email address:
<iframe src=http://www.playboy.com></iframe> or <h1>Hi!</h1>
scripting attack. The script is 'login_select_proj_page.php' and the
following URL can be used to demonstrate and exploit this issue:
http://
given below:
http://
also possible to exploit the product and cause it to send a fairly
arbitrary (and large) amount of emails to a user.
The following script can be used to determine whether your system is
vulnerable to attack or not:
<?php
$email = "anyemail@address";
$base_user = "test";
$i = 0;
$site = "http://
{
echo("Sending e-mail number $i\n");
$user = "$base_user$i";
echo("New user is $user\n");
$url = "http://$site/signup.php?username=$user&email=$email";
echo("URL is $url\n");
$fd = fopen($url,"r");
echo("E-mail $i sended\n");
fclose($fd);
}
REGISTER_GLOBAL variable is set, an attacker is able to inject and execute
PHP code by overwriting the $t_core_dir global variable. The vulnerable
scripts are:
bug_api.php -> at line 22 (using variable $t_core_path)
relationship_api.php -> Line 14 (using variable $t_core_dir)
The maintainers of Mantis have been informed and the fixes are already in
the CVS tree, in the alpha version.
Koret.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Phorum is "an Open Source
web based discussion ... An XSS vulnerability exists in the script 'common.php' that allows
... By sending a HTTP/POST variable to any Phorum script, ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is a Cross-Site-Scripting
vulnerability in the script ... Another SQL-Injection vulnerability exists in the comments.php
script, ... This string manipulates the SQL query into looking something like this:
... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A cross site scripting vulnerability
has been found in the user ... When registering a new account the register.asp script fails
to properly ... Vendor Status: ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... script, used in conjunction
with other vulnerable files allow us to use ... File reading vulnerability as well as HTS
script injection ... can create files in the Administrators startup folder. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Horde Kronolith Arbitrary Local
File Inclusion Vulnerability ... stored on the Web server to be parsed as PHP code.
... (Securiteam)
