Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11444
HistoryFeb 15, 2006 - 12:00 a.m.

[BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4

2006-02-1500:00:00
vulners.com
7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


| BuHa Security-Advisory #7 | Feb 14th, 2006 |

| Vendor | Mantis BT |
| URL | http://www.mantisbt.org/ |
| Version | <= Mantis 1.00rc4 |
| Risk | Moderate |

o Description:

Mantis is a web-based bugtracking system. It is written in the PHP
scripting language and requires the MySQL database and a webserver.

Visit http://www.mantisbt.org/ for detailed information.

o SQL-Injection:

> > /manage_user_page.php:
GET: <?sort=last_visit'>

The manipulated data of the sort parameter is saved into
"MANTIS_MANAGE_COOKIE" cookie. The value of the cookie is inserted
into a SQL query and everytime the page is loaded a MySQL database
error is displayed.

> > You have an error in your SQL syntax; check the manual that
> > corresponds to your MySQL server version for the right syntax
> > to use near '\"> ASC' at line 4 for the query:
> > SELECT *
> > FROM mantis_user_table
> > WHERE (1 = 1)
> > ORDER BY last_visit\' AS

Unexploitable SQL-Injection, temporary defacement.

o XSS:

> > /view_all_set.php:
GET: <?type=1&handler_id=1&hide_status=[XSS]>
GET: <?type=1&handler_id=[XSS]>
GET: <?type=1&temporary=y&user_monitor=[XSS]>
GET: <?type=1&temporary=y&reporter_id=[XSS]>
GET: <?type=6&view_type=[XSS]>
GET: <?type=1&show_severity=[XSS]>
GET: <?type=1&show_category=[XSS]>
GET: <?type=1&show_status=[XSS]>

GET: <?type=1&show_resolution=[XSS]>
GET: <?type=1&show_build=[XSS]>
GET: <?type=1&show_profile=[XSS]>
GET: <?type=1&show_priority=[XSS]>

GET: <?type=1&highlight_changed=[XSS]>
GET: <?type=1&relationship_type=[XSS]>
GET: <?type=1&relationship_bug=[XSS]>

> > /manage_user_page.php:
GET: <?sort=[XSS]>

> > /view_filters_page.php:
GET: </view_filters_page.php?view_type=[XSS]>

> > /proj_doc_delete.php:
GET: <?file_id=1&title=[XSS]>

o Disclosure Timeline:

08 Oct 05 - Security flaws discovered.
17 Nov 05 - Vendor contacted.
15 Dec 05 - Vendor contacted again.
18 Dec 05 - Vendor confirmed vulnerabilities.
18 Dec 05 - Vendor released partly bugfixed version.
19 Dec 05 - Vendor contacted again.
03 Feb 06 - Vendor released bugfixed version.
14 Feb 06 - Public release.

o Solution:

Upgrade to Mantis 1.0.0. [1]

o Credits:

Thomas Waldegger <[email protected]>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[email protected]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, nait, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt

[1] http://www.mantisbt.org/download.php

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw
Yw3XgTq5MxLHSGX7hExkDpQ=
=nRmi
-----END PGP SIGNATURE-----