-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: Multiple vulnerabilities in Mantis
Name: TKADV2005-11-002
Revision: 1.0
Release Date: 2005/12/23
Last Modified: 2005/12/23
Date Reported: 2005/11/04
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Mantis (all versions <= 0.19.3)
Risk: Critical ( ) High ( ) Medium (x) Low (x)
Vendor URL: http://www.mantisbt.org
Vendor Status: Vendor has released an updated version
=========
Overview:
=========
Mantis is a widely used php/MySQL/web based bugtracking system.
Version 0.19.3 and prior contain multiple Cross Site Scripting,
SQL Injection and HTTP Header CRLF Injection vulnerabilities.
Furthermore it is possible to conduct a denial of service attack
under certain circumstances.
======================
Vulnerability details:
======================
For a description of the calculation of the resulting threat of a
vulnerability see reference [3].
All vulnerabilities are exploitable, no matter if magic_quotes_gpc
is turned on or off.
[1] SQL Injection
Possible damage: Critical
Probability of occurrence: Low
Resulting threat: Medium
HTTP method: GET
Vulnerability description:
Mantis is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can only be successfully exploited by the
administrative user.
Vulnerable GET parameter: prefix
Proof of Concept (GET request):
[path_to_mantis]/manage_user_page.php?prefix=A[SQL]
[2] SQL Injection
Possible damage: Critical
Probability of occurrence: Low
Resulting threat: Medium
HTTP method: POST
Vulnerability description:
Mantis is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can only be successfully exploited by the
administrative user.
Vulnerable URL:
[path_to_mantis]/manage_user_page.php
Vulnerable POST parameter: sort
Proof of Concept (POST request):
POST [path_to_mantis]/manage_user_page.php HTTP/1.1
[...]
sort=username[SQL]&dir=ASC&save=1
[3] SQL Injection
Possible damage: Low
Probability of occurrence: High
Resulting threat: Low
HTTP method: GET
Vulnerability description:
Mantis is prone to a SQL injection vulnerability. This issue is
due to a lack of proper sanitization of user-supplied input before
using it in an SQL query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.
This vulnerability can be successfully exploited by any anonymous
user.
As it is only possible to inject SQL after the ORDER BY statement
it is very unlikely that this vulnerability can be exploited to
do harmful things. Thats why the possible damage is rated as low.
Vulnerable GET Parameter: sort
Proof of Concept (GET request):
[path_to_mantis]/view_all_set.php?sort=priority[SQL]
[4] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
XSS type: non-persistent
Vulnerability description:
The "view_type" parameter is prone to cross-site scripting attacks.
This could permit remote attackers to create a malicious link to a
vulnerable PHP script that includes hostile client-side script code
or HTML. If this link is visited, the attacker-supplied code may be
rendered in the browser of the user who visit the malicious link.
This vulnerability can be successfully exploited by any anonymous
user.
Vulnerable GET parameter: view_type
Proof of Concept:
[path_to_mantis]/view_filters_page.php?target_field=reporter_id[]&
view_type=">
[5] Cross Site Scripting
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
XSS type: non-persistent
Vulnerability description:
The "target_field" parameter is prone to cross-site scripting
attacks. This could permit remote attackers to create a malicious
link to a vulnerable PHP script that includes hostile client-side
script code or HTML. If this link is visited, the attacker-supplied
code may be rendered in the browser of the user who visit the
malicious link.
This vulnerability can be successfully exploited by any anonymous
user.
Vulnerable GET parameter: target_field
Proof of Concept:
[path_to_mantis]/view_filters_page.php?target_field=
">
[6] HTTP Header CRLF Injection
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: GET
Vulnerability description:
There is no input validation performed on user data passed to the
"return"-parameter of the application. As a result, malicious users
may embed CR/LF sequences to inject additional headers into
outgoing messages.
This vulnerability can be successfully exploited by any anonymous
user.
Vulnerable GET parameter: return
Proof of Concept:
[path_to_mantis]/login_cookie_test.php?return=
%0d%0aLocation:%20http://www.google.com
[7] HTTP Header CRLF Injection
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: POST
Vulnerability description:
There is no input validation performed on user data passed to the
"ref"-parameter of the application. As a result, malicious users
may embed CR/LF sequences to inject additional headers into
outgoing messages.
This vulnerability can be successfully exploited by any anonymous
user.
URL with vulnerable POST parameter:
[path_to_mantis]/login_select_proj_page.php?ref=bug_report_page.php
Vulnerable POST parameter: ref
Proof of Concept (POST request):
POST [path_to_mantis]/set_project.php HTTP/1.0
[...]
ref=%0d%0aLocation:%20http://www.google.com&project_id=1
[8] Upload files with arbitrary size
Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low
HTTP method: POST
Vulnerability description:
When the uploading functionality is activated (see config_inc.php)
it is possible to upload files with an arbitrary size.
Normally uploaded files have a max size of 2,000k. This gets
enforced by the form-data parameter 'name="max_file_size"'. It is
possible to manipulate this parameter to an arbitrary value. As the
file gets directly uploaded to the database it is possible to fill
the available disk space of the database and cause a denial of
service.
This vulnerability can be successfully exploited by any anonymous
user.
URL with vulnerable POST form:
[path_to_mantis]/view.php?id=1
Vulnerable POST request:
POST [path_to_mantis]/bug_file_add.php HTTP/1.1
[...]
-----------------------------263932646429032
Content-Disposition: form-data; name="bug_id"
1
-----------------------------263932646429032
Content-Disposition: form-data; name="max_file_size"
2000000 <--- this value can be easily modified
[...]
Other URLs with vulnerable upload feature:
[path_to_mantis]/bug_report.php
[path_to_mantis]/bug_report_advanced_page.php
[path_to_mantis]/proj_doc_add_page.php
=========
Solution:
=========
Upgrade to Mantis 0.19.4 / 1.0.0rc4 or newer.
http://www.mantisbt.org/download.php
========
History:
========
2005/11/04 - Vendor notified
2005/11/06 - Vendor response
2005/11/13 - Contacted vendor regarding status report
2005/12/18 - Release of new Mantis version
2005/12/23 - Public release
========
Credits:
========
Vulnerabilities found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://www.trapkit.de/advisories/TKADV2005-11-002.txt
[2] http://www.trapkit.de/advisories/TKADVcortav.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed
publications is not permitted without the author's agreement.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2005 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQ6xaU5F8YHACG4RBEQIRBQCfRKdoqrMLtkvZIZNCiFXxgKhBE4sAn1lY
tvcVoH5dncXxlUtfsoxfVK/T
=WE1k
-----END PGP SIGNATURE-----