Arch Linux Security Advisory ASA-201412-6 ========================================= Severity: Critical Date : 2014-12-08 CVE-ID : CVE-2014-9272 CVE-2014-9270 CVE-2014-8987 CVE-2014-9271 CVE-2014-9281 CVE-2014-8986 CVE-2014-9269 CVE-2014-9280 CVE-2014-9089 CVE-2014-9279 CVE-2014-8988 CVE-2014-8553 CVE-2014-6387 CVE-2014-6316 CVE-2014-9117 Package : mantisbt Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mantisbt before version 1.2.18-1 is suffering from multiple issues including but not limited to code execution, sql injection, authentication bypass, cross-site scripting and information disclosure. Resolution ========== Upgrade to 1.2.18-1. # pacman -Syu "mantisbt>=1.2.18-1" The problems have been fixed upstream in version 1.2.18. Workaround ========== None. Description =========== - CVE-2014-9272 (cross-side scripting) The function "string_insert_hrefs" doesn't validate the protocol, which is why one can make a link that executes arbitrary JavaScript code. - CVE-2014-9270 (cross-side scripting) The Projax library does not properly escape html strings. An attacker could take advantage of this to perform an XSS attack using the profile/Platform field. - CVE-2014-8987 (cross-side scripting) The MantisBT Configuration Report page (adm_config_report.php) did not escape a parameter before displaying it on the page, allowing an attacker to execute arbitrary JavaScript code. - CVE-2014-9271 (cross-side scripting) It's possible to upload Flash files and make open them inline by using an image extension. Since Flash files can execute JavaScript this becomes a persistent XSS. - CVE-2014-9281 (cross-side scripting) A missing sanity check in copy_field.php is leading to a reflected XSS vulnerability which could be exploited f.e. by the dest_id parameter. - CVE-2014-8986 (cross-side scripting) Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) allows remote administrators to inject arbitrary web script or HTML via a crafted config option. - CVE-2014-9269 (cross-side scripting) Extended project browser allows projects to be passed in as A;B. helper_get_current_project() and helper_get_current_project_trace() then explodes the string by ';' and doesn't check that A is an int (representing a project/sub-project id). Finally, print_extended_project_browser() prints the result of the split into a JavaScript array. - CVE-2014-9280 (code execution) PHP Object Injection in filter API in the function current_user_get_bug_filter (core\current_user_api.php line 212). The code loads a variable from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it straight into unserialize() on line 223. The current_user_get_bug_filter function is called in 10 places, easiest is just to access /view_filters_page.php. A PoC initializing a class that's loaded could look like this: /view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";} - CVE-2014-9089 (sql injection) Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the 'sort' or 'dir' parameter to view_all_set.php. Both parameters are split into chunks on ','. After splitting, only the first two values are validated. By supplying a third value, SQL injection can be performed. - CVE-2014-9279 (information disclosure) Database credentials leak via unattended upgrade script will connect to arbitrary host with the current DB config credentials. The unattended upgrade script retrieved DB connection settings from POST parameters, allowing an attacker to get the script to connect to their host with the current DB config credentials. - CVE-2014-8988 (information disclosure) It is possible to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. - CVE-2014-8553 (information disclosure) No public information is available yet. - CVE-2014-6387 (authentication bypass) A flaw in gpc_api.php allows remote attackers to bypass authentication via a password starting will a null byte, which triggers an unauthenticated bind. A malicious user can exploit this vulnerability to login as any registered user and without knowing their password, to systems relying on LDAP for user authentication (e.g. Active Directory or OpenLDAP with "allow bind_anon_cred"). - CVE-2014-6316 (cross-site redirection) When Mantis is installed at the web server's root, $g_short_path is set to '/'. string_sanitize_url() removes the trailing '/' from the short path, which causes the URL to be incorrectly categorized as "type 2", thus allowing cross-site redirection to occur. - CVE-2014-9117 (captcha bypass) MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0. Impact ====== A remote attacker is able to bypass the authentication, execute arbitrary code, perform sql injection, steal sessions via cross-site scripting or disclosure sensitive information. References ========== https://www.mantisbt.org/bugs/changelog_page.php?version_id=191 http://seclists.org/oss-sec/2014/q4/955 https://access.redhat.com/security/cve/CVE-2014-9272 https://www.mantisbt.org/bugs/view.php?id=17297 https://access.redhat.com/security/cve/CVE-2014-9270 https://www.mantisbt.org/bugs/view.php?id=17583 https://access.redhat.com/security/cve/CVE-2014-8987 https://www.mantisbt.org/bugs/view.php?id=17870 https://access.redhat.com/security/cve/CVE-2014-9271 https://www.mantisbt.org/bugs/view.php?id=17874 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9281 https://www.mantisbt.org/bugs/view.php?id=17876 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8986 https://www.mantisbt.org/bugs/view.php?id=17889 https://access.redhat.com/security/cve/CVE-2014-9269 https://www.mantisbt.org/bugs/view.php?id=17890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9280 https://www.mantisbt.org/bugs/view.php?id=17875 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9089 https://www.mantisbt.org/bugs/view.php?id=17841 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9279 https://www.mantisbt.org/bugs/view.php?id=17877 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8988 https://www.mantisbt.org/bugs/view.php?id=17742 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8553 https://www.mantisbt.org/bugs/view.php?id=17243 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6387 https://www.mantisbt.org/bugs/view.php?id=17640 https://access.redhat.com/security/cve/CVE-2014-6316 https://www.mantisbt.org/bugs/view.php?id=17648 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9117 https://www.mantisbt.org/bugs/view.php?id=17811