[BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
---------------------------------------------------
| BuHa Security-Advisory #7 | Feb 14th, 2006 |
---------------------------------------------------
| Vendor | Mantis BT |
| URL | http://www.mantisbt.org/ |
| Version | <= Mantis 1.00rc4 |
| Risk | Moderate |
---------------------------------------------------
o Description:
=============
Mantis is a web-based bugtracking system. It is written in the PHP
scripting language and requires the MySQL database and a webserver.
Visit http://www.mantisbt.org/ for detailed information.
o SQL-Injection:
===============
> > /manage_user_page.php:
GET: <?sort=last_visit'>
The manipulated data of the sort parameter is saved into
"MANTIS_MANAGE_COOKIE" cookie. The value of the cookie is inserted
into a SQL query and everytime the page is loaded a MySQL database
error is displayed.
> > You have an error in your SQL syntax; check the manual that
> > corresponds to your MySQL server version for the right syntax
> > to use near '\"> ASC' at line 4 for the query:
> > SELECT *
> > FROM mantis_user_table
> > WHERE (1 = 1)
> > ORDER BY last_visit\' AS
Unexploitable SQL-Injection, temporary defacement.
o XSS:
=====
> > /view_all_set.php:
GET: <?type=1&handler_id=1&hide_status=[XSS]>
GET: <?type=1&handler_id=[XSS]>
GET: <?type=1&temporary=y&user_monitor=[XSS]>
GET: <?type=1&temporary=y&reporter_id=[XSS]>
GET: <?type=6&view_type=[XSS]>
GET: <?type=1&show_severity=[XSS]>
GET: <?type=1&show_category=[XSS]>
GET: <?type=1&show_status=[XSS]>
GET: <?type=1&show_resolution=[XSS]>
GET: <?type=1&show_build=[XSS]>
GET: <?type=1&show_profile=[XSS]>
GET: <?type=1&show_priority=[XSS]>
GET: <?type=1&highlight_changed=[XSS]>
GET: <?type=1&relationship_type=[XSS]>
GET: <?type=1&relationship_bug=[XSS]>
> > /manage_user_page.php:
GET: <?sort=[XSS]>
> > /view_filters_page.php:
GET: </view_filters_page.php?view_type=[XSS]>
> > /proj_doc_delete.php:
GET: <?file_id=1&title=[XSS]>
o Disclosure Timeline:
=====================
08 Oct 05 - Security flaws discovered.
17 Nov 05 - Vendor contacted.
15 Dec 05 - Vendor contacted again.
18 Dec 05 - Vendor confirmed vulnerabilities.
18 Dec 05 - Vendor released partly bugfixed version.
19 Dec 05 - Vendor contacted again.
03 Feb 06 - Vendor released bugfixed version.
14 Feb 06 - Public release.
o Solution:
==========
Upgrade to Mantis 1.0.0. [1]
o Credits:
=========
Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.
Greets fly out to cyrus-tc, destructor, nait, trappy and all
members of BuHa.
Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt
[1] http://www.mantisbt.org/download.php
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw
Yw3XgTq5MxLHSGX7hExkDpQ=
=nRmi
-----END PGP SIGNATURE-----