MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)

Bug #690482 reported by David Hicks
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gentoo Linux
Fix Released
High
mantis (Debian)
Fix Released
Unknown
mantis (Fedora)
Fix Released
Medium
mantis (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Karmic
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned

Bug Description

Binary package hint: mantis

The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(<email address hidden>) of multiple vulnerabilities affecting MantisBT
<1.2.4.

The two following advisories have been released explaining the
vulnerabilities in greater detail:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php

As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.

I have requested CVE numbers via oss-sec (awaiting list moderation).

A bug report for this issue already exists in the Debian bug tracking system at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159

As Ubuntu is using MantisBT 1.1.x you will need to apply the following
patch to resolve the issue in this older version of MantisBT:
http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

We have also released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch.

The bug report tracking this issue upstream at MantisBT:
http://www.mantisbt.org/bugs/view.php?id=12607

If there are any questions or concerns please feel free to contact me.

Revision history for this message
In , David (david-redhat-bugs) wrote :

The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(<email address hidden>) of multiple vulnerabilities affecting MantisBT
<1.2.4.

The two following advisories have been released explaining the
vulnerabilities in greater detail:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php

As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.

I have requested CVE numbers via oss-sec (awaiting list moderation).

As Redhat is using MantisBT 1.1.x you will need to apply the following
patch to resolve the issue in this older version of MantisBT:
http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

We have also released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch.

The bug report tracking this issue upstream at MantisBT:
http://www.mantisbt.org/bugs/view.php?id=12607

If there are any questions or concerns please feel free to contact me.

Revision history for this message
In , David Hicks (dhx) wrote :

The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(<email address hidden>) of multiple vulnerabilities affecting MantisBT
<1.2.4.

The two following advisories have been released explaining the
vulnerabilities in greater detail:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php

As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.

I have requested CVE numbers via oss-sec (awaiting list moderation).

We have released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch. We do have a patch for MantisBT 1.1.x available in the repository as well, however this doesn't apply to Gentoo.

The bug report tracking this issue upstream at MantisBT:
http://www.mantisbt.org/bugs/view.php?id=12607

If there are any questions or concerns please feel free to contact me.

Reproducible: Always

Steps to Reproduce:

Revision history for this message
In , David Hicks (dhx) wrote :

Apologies for the oversight, Gentoo does still ship mantisbt-1.1.8.

The patch to apply to this version can be obtained through our repository at:
http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

Please note that MantisBT 1.1.x is not officially supported by the MantisBT project and is not recommended for use. We have made a significant number of security improvements in 1.2.x that aren't available in 1.1.x (not just bug fixes, but general architecture changes).

David Hicks (dhx)
visibility: private → public
Revision history for this message
Micah Gersten (micahg) wrote :

Marking all tasks Low -> Triaged per Ubuntu Security priorities since the admin directory is disabled in a default installation.

Changed in mantis (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in mantis (Ubuntu Hardy):
importance: Undecided → Low
Changed in mantis (Ubuntu Karmic):
importance: Undecided → Low
status: New → Triaged
Changed in mantis (Ubuntu Hardy):
status: New → Triaged
Changed in mantis (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Low
Changed in mantis (Ubuntu Maverick):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
In , Underling (underling) wrote :

(In reply to comment #0)
>
> If there are any questions or concerns please feel free to contact me.
>

Thank you for the report, David.

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

(In reply to comment #0)
Hi David,

  thank you for such a complete report.

>
> I have requested CVE numbers via oss-sec (awaiting list moderation).

  Looks like the CVE identifiers request did not made it to oss-security
yet.

To Gianluca: We will update this bug with CVE identifiers later, once
they are assigned to the issues. Could you please schedule Fedora MantisBT
updates with the patch below? (Fedora bug will follow shortly)

>
> As Redhat is using MantisBT 1.1.x you will need to apply the following
> patch to resolve the issue in this older version of MantisBT:
> http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

These issues affect the versions of the mantis package, as shipped
with Fedora release of 13 and 14.

These issues affect the version of the mantis package, as present
within EPEL-5 repository.

Please schedule an update (patch is above).

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

Public PoCs (from http://www.mantisbt.org/bugs/view.php?id=12607):

1), cross-site scripting (XSS):
    http://[mantis_root_host]/admin/upgrade_unattended.php?db_type=%3Cscript%3Ealert%281%29%3C/script%3E

2), local file inclusion (LFI):
    http://[mantis_root_host]/admin/upgrade_unattended.php?db_type=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00

3), path disclosure (PD):
    http://[mantis_root_host]/admin/upgrade_unattended.php?db_type=%27

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

Created mantis tracking bugs for this issue

Affects: fedora-all [bug 663299]

Revision history for this message
In , Gianluca (gianluca-redhat-bugs) wrote :

I guess it's relevant to note the default apache configuration provided with the mantis package includes the following.

# Admin directory access is disabled by default; do not change this unless
# you are performing the first installation or a database schema update.
# See README.Fedora for more details
<Directory /usr/share/mantis/admin>
 Order Deny,Allow
 Deny from All
 Allow from None
</Directory>

Revision history for this message
In , David (david-redhat-bugs) wrote :

Thanks Jan & Gianluca.

Debian (and by extension Ubuntu) use the same Apache configuration to help protect the /admin/ directory. As a result they have decided that the severity of the bug is not as high as first anticipated by upstream.

I guess it comes down to whether a typical user of this package will keep the /admin/ directory permissions in a locked down state.

This issue is more of a concern for Gentoo (and MantisBT users using the upstream package) where the /admin/ directory permissions are not in place.

Revision history for this message
David Hicks (dhx) wrote :

CVE-2010-4348: Cross site scripting
CVE-2010-4349: Path disclosure
CVE-2010-4350: Local file inclusion

Revision history for this message
In , David Hicks (dhx) wrote :

CVE-2010-4348: Cross site scripting
CVE-2010-4349: Path disclosure
CVE-2010-4350: Local file inclusion

Revision history for this message
In , David (david-redhat-bugs) wrote :

From Josh Bressers (oss-sec mailing list):

CVE-2010-4348: Cross site scripting
CVE-2010-4349: Path disclosure
CVE-2010-4350: Local file inclusion

Revision history for this message
In , Jan (jan-redhat-bugs) wrote :

Gianluca, David, thank you for the comments:
https://bugzilla.redhat.com/show_bug.cgi?id=663230#c5
https://bugzilla.redhat.com/show_bug.cgi?id=663230#c6

(In reply to comment #5)
> I guess it's relevant to note the default apache configuration provided with
> the mantis package includes the following.
>
>
> # Admin directory access is disabled by default; do not change this unless
> # you are performing the first installation or a database schema update.
> # See README.Fedora for more details

Based on the above comments decreased severity of the issues
to moderate. But we should still address them (to sanitize /
protect also not so likely configurations).

Revision history for this message
In , pva (pva) wrote :

Thank you David. New version was just added to the tree and I've dropped old, vulnerable versions. Arch teams, please, stabilize www-apps/mantisbt-1.2.4.

Revision history for this message
In , Alex Legler (a3li) wrote :

Rerating B2.

Revision history for this message
In , J-ago (j-ago) wrote :

amd64 ok

Revision history for this message
In , Markos Chandras (hwoarang) wrote :

amd64 done. Thanks Agostino

Revision history for this message
In , Phajdan-jr (phajdan-jr) wrote :

x86 stable

Changed in gentoo:
status: Unknown → In Progress
Changed in mantis (Debian):
status: Unknown → Confirmed
Revision history for this message
In , Xarthisius (xarthisius) wrote :

ppc stable, last arch done

Revision history for this message
In , Underling (underling) wrote :

Thanks, folks. GLSA request filed.

Changed in gentoo:
importance: Unknown → High
Revision history for this message
In , Gianluca (gianluca-redhat-bugs) wrote :

This was fixed in 1.1.8-5

Revision history for this message
In , Glsamaker (glsamaker) wrote :

CVE-2010-4350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4350):
  Directory traversal vulnerability in admin/upgrade_unattended.php in
  MantisBT before 1.2.4 allows remote attackers to include and execute
  arbitrary local files via a .. (dot dot) in the db_type parameter, related
  to an unsafe call by MantisBT to a function in the ADOdb Library for PHP.

CVE-2010-4349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4349):
  admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote
  attackers to obtain sensitive information via an invalid db_type parameter,
  which reveals the installation path in an error message, related to an
  unsafe call by MantisBT to a function in the ADOdb Library for PHP.

CVE-2010-4348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4348):
  Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in
  MantisBT before 1.2.4 allows remote attackers to inject arbitrary web script
  or HTML via the db_type parameter, related to an unsafe call by MantisBT to
  a function in the ADOdb Library for PHP.

Revision history for this message
In , Glsamaker (glsamaker) wrote :

CVE-2010-3763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3763):
  Cross-site scripting (XSS) vulnerability in core/summary_api.php in MantisBT
  before 1.2.3 allows remote attackers to inject arbitrary web script or HTML
  via the Summary field, a different vector than CVE-2010-3303.

CVE-2010-3303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3303):
  Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.3
  allow remote authenticated administrators to inject arbitrary web script or
  HTML via (1) a plugin name, related to manage_plugin_uninstall.php; (2) an
  enumeration value or (3) a String value of a custom field, related to
  core/cfdefs/cfdef_standard.php; or a (4) project or (5) category name to
  print_all_bug_page_word.php.

Changed in mantis (Debian):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in mantis (Ubuntu Karmic):
status: Triaged → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in mantis (Ubuntu Maverick):
status: Triaged → Won't Fix
Revision history for this message
In , Glsamaker (glsamaker) wrote :

This issue was resolved and addressed in
 GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).

Changed in gentoo:
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in mantis (Ubuntu Hardy):
status: Triaged → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in mantis (Ubuntu Lucid):
status: Triaged → Won't Fix
Changed in mantis (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.