[arch-security] [Arch Linux Security Advisory ASA-201412-6] mantisbt: multiple issues
Levente Polyak
anthraxx at archlinux.org
Mon Dec 8 15:14:12 UTC 2014
Arch Linux Security Advisory ASA-201412-6
=========================================
Severity: Critical
Date : 2014-12-08
CVE-ID : CVE-2014-9272 CVE-2014-9270 CVE-2014-8987 CVE-2014-9271
CVE-2014-9281 CVE-2014-8986 CVE-2014-9269 CVE-2014-9280
CVE-2014-9089 CVE-2014-9279 CVE-2014-8988 CVE-2014-8553
CVE-2014-6387 CVE-2014-6316 CVE-2014-9117
Package : mantisbt
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package mantisbt before version 1.2.18-1 is suffering from multiple
issues including but not limited to code execution, sql injection,
authentication bypass, cross-site scripting and information disclosure.
Resolution
==========
Upgrade to 1.2.18-1.
# pacman -Syu "mantisbt>=1.2.18-1"
The problems have been fixed upstream in version 1.2.18.
Workaround
==========
None.
Description
===========
- CVE-2014-9272 (cross-side scripting)
The function "string_insert_hrefs" doesn't validate the protocol, which
is why one can make a link that executes arbitrary JavaScript code.
- CVE-2014-9270 (cross-side scripting)
The Projax library does not properly escape html strings. An attacker
could take advantage of this to perform an XSS attack using the
profile/Platform field.
- CVE-2014-8987 (cross-side scripting)
The MantisBT Configuration Report page (adm_config_report.php) did not
escape a parameter before displaying it on the page, allowing an
attacker to execute arbitrary JavaScript code.
- CVE-2014-9271 (cross-side scripting)
It's possible to upload Flash files and make open them inline by using
an image extension. Since Flash files can execute JavaScript this
becomes a persistent XSS.
- CVE-2014-9281 (cross-side scripting)
A missing sanity check in copy_field.php is leading to a reflected XSS
vulnerability which could be exploited f.e. by the dest_id parameter.
- CVE-2014-8986 (cross-side scripting)
Cross-site scripting (XSS) vulnerability in the selection list in the
filters in the Configuration Report page (adm_config_report.php) allows
remote administrators to inject arbitrary web script or HTML via a
crafted config option.
- CVE-2014-9269 (cross-side scripting)
Extended project browser allows projects to be passed in as A;B.
helper_get_current_project() and helper_get_current_project_trace() then
explodes the string by ';' and doesn't check that A is an int
(representing a project/sub-project id).
Finally, print_extended_project_browser() prints the result of the split
into a JavaScript array.
- CVE-2014-9280 (code execution)
PHP Object Injection in filter API in the function
current_user_get_bug_filter (core\current_user_api.php line 212). The
code loads a variable from $_GET['filter']/$_POST['filter'] and if it's
not numeric, feeds it straight into unserialize() on line 223.
The current_user_get_bug_filter function is called in 10 places, easiest
is just to access /view_filters_page.php.
A PoC initializing a class that's loaded could look like this:
/view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";}
- CVE-2014-9089 (sql injection)
Multiple SQL injection vulnerabilities in view_all_bug_page.php in
MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL
commands via the 'sort' or 'dir' parameter to view_all_set.php.
Both parameters are split into chunks on ','. After splitting, only the
first two values are validated. By supplying a third value, SQL
injection can be performed.
- CVE-2014-9279 (information disclosure)
Database credentials leak via unattended upgrade script will connect to
arbitrary host with the current DB config credentials. The unattended
upgrade script retrieved DB connection settings from POST parameters,
allowing an attacker to get the script to connect to their host with the
current DB config credentials.
- CVE-2014-8988 (information disclosure)
It is possible to bypass the $g_download_attachments_threshold and
$g_view_attachments_threshold restrictions and read attachments for
private projects by leveraging access to a project that does not
restrict access to attachments and a request to the download URL.
- CVE-2014-8553 (information disclosure)
No public information is available yet.
- CVE-2014-6387 (authentication bypass)
A flaw in gpc_api.php allows remote attackers to bypass authentication
via a password starting will a null byte, which triggers an
unauthenticated bind. A malicious user can exploit this vulnerability to
login as any registered user and without knowing their password, to
systems relying on LDAP for user authentication (e.g. Active Directory
or OpenLDAP with "allow bind_anon_cred").
- CVE-2014-6316 (cross-site redirection)
When Mantis is installed at the web server's root, $g_short_path is set
to '/'. string_sanitize_url() removes the trailing '/' from the short
path, which causes the URL to be incorrectly categorized as "type 2",
thus allowing cross-site redirection to occur.
- CVE-2014-9117 (captcha bypass)
MantisBT before 1.2.18 uses the public_key parameter value as the key to
the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA
protection mechanism by leveraging knowledge of a CAPTCHA answer for a
public_key parameter value, as demonstrated by E4652 for the public_key
value 0.
Impact
======
A remote attacker is able to bypass the authentication, execute
arbitrary code, perform sql injection, steal sessions via cross-site
scripting or disclosure sensitive information.
References
==========
https://www.mantisbt.org/bugs/changelog_page.php?version_id=191
http://seclists.org/oss-sec/2014/q4/955
https://access.redhat.com/security/cve/CVE-2014-9272
https://www.mantisbt.org/bugs/view.php?id=17297
https://access.redhat.com/security/cve/CVE-2014-9270
https://www.mantisbt.org/bugs/view.php?id=17583
https://access.redhat.com/security/cve/CVE-2014-8987
https://www.mantisbt.org/bugs/view.php?id=17870
https://access.redhat.com/security/cve/CVE-2014-9271
https://www.mantisbt.org/bugs/view.php?id=17874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9281
https://www.mantisbt.org/bugs/view.php?id=17876
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8986
https://www.mantisbt.org/bugs/view.php?id=17889
https://access.redhat.com/security/cve/CVE-2014-9269
https://www.mantisbt.org/bugs/view.php?id=17890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9280
https://www.mantisbt.org/bugs/view.php?id=17875
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9089
https://www.mantisbt.org/bugs/view.php?id=17841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9279
https://www.mantisbt.org/bugs/view.php?id=17877
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8988
https://www.mantisbt.org/bugs/view.php?id=17742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8553
https://www.mantisbt.org/bugs/view.php?id=17243
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6387
https://www.mantisbt.org/bugs/view.php?id=17640
https://access.redhat.com/security/cve/CVE-2014-6316
https://www.mantisbt.org/bugs/view.php?id=17648
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9117
https://www.mantisbt.org/bugs/view.php?id=17811
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141208/52994eb2/attachment.bin>
More information about the arch-security
mailing list