[arch-security] [Arch Linux Security Advisory ASA-201412-6] mantisbt: multiple issues
anthraxx at archlinux.org
Mon Dec 8 15:14:12 UTC 2014
Arch Linux Security Advisory ASA-201412-6
Date : 2014-12-08
CVE-ID : CVE-2014-9272 CVE-2014-9270 CVE-2014-8987 CVE-2014-9271
CVE-2014-9281 CVE-2014-8986 CVE-2014-9269 CVE-2014-9280
CVE-2014-9089 CVE-2014-9279 CVE-2014-8988 CVE-2014-8553
CVE-2014-6387 CVE-2014-6316 CVE-2014-9117
Package : mantisbt
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package mantisbt before version 1.2.18-1 is suffering from multiple
issues including but not limited to code execution, sql injection,
authentication bypass, cross-site scripting and information disclosure.
Upgrade to 1.2.18-1.
# pacman -Syu "mantisbt>=1.2.18-1"
The problems have been fixed upstream in version 1.2.18.
- CVE-2014-9272 (cross-side scripting)
The function "string_insert_hrefs" doesn't validate the protocol, which
- CVE-2014-9270 (cross-side scripting)
The Projax library does not properly escape html strings. An attacker
could take advantage of this to perform an XSS attack using the
- CVE-2014-8987 (cross-side scripting)
The MantisBT Configuration Report page (adm_config_report.php) did not
escape a parameter before displaying it on the page, allowing an
- CVE-2014-9271 (cross-side scripting)
It's possible to upload Flash files and make open them inline by using
becomes a persistent XSS.
- CVE-2014-9281 (cross-side scripting)
A missing sanity check in copy_field.php is leading to a reflected XSS
vulnerability which could be exploited f.e. by the dest_id parameter.
- CVE-2014-8986 (cross-side scripting)
Cross-site scripting (XSS) vulnerability in the selection list in the
filters in the Configuration Report page (adm_config_report.php) allows
remote administrators to inject arbitrary web script or HTML via a
crafted config option.
- CVE-2014-9269 (cross-side scripting)
Extended project browser allows projects to be passed in as A;B.
helper_get_current_project() and helper_get_current_project_trace() then
explodes the string by ';' and doesn't check that A is an int
(representing a project/sub-project id).
Finally, print_extended_project_browser() prints the result of the split
- CVE-2014-9280 (code execution)
PHP Object Injection in filter API in the function
current_user_get_bug_filter (core\current_user_api.php line 212). The
code loads a variable from $_GET['filter']/$_POST['filter'] and if it's
not numeric, feeds it straight into unserialize() on line 223.
The current_user_get_bug_filter function is called in 10 places, easiest
is just to access /view_filters_page.php.
A PoC initializing a class that's loaded could look like this:
- CVE-2014-9089 (sql injection)
Multiple SQL injection vulnerabilities in view_all_bug_page.php in
MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL
commands via the 'sort' or 'dir' parameter to view_all_set.php.
Both parameters are split into chunks on ','. After splitting, only the
first two values are validated. By supplying a third value, SQL
injection can be performed.
- CVE-2014-9279 (information disclosure)
Database credentials leak via unattended upgrade script will connect to
arbitrary host with the current DB config credentials. The unattended
upgrade script retrieved DB connection settings from POST parameters,
allowing an attacker to get the script to connect to their host with the
current DB config credentials.
- CVE-2014-8988 (information disclosure)
It is possible to bypass the $g_download_attachments_threshold and
$g_view_attachments_threshold restrictions and read attachments for
private projects by leveraging access to a project that does not
restrict access to attachments and a request to the download URL.
- CVE-2014-8553 (information disclosure)
No public information is available yet.
- CVE-2014-6387 (authentication bypass)
A flaw in gpc_api.php allows remote attackers to bypass authentication
via a password starting will a null byte, which triggers an
unauthenticated bind. A malicious user can exploit this vulnerability to
login as any registered user and without knowing their password, to
systems relying on LDAP for user authentication (e.g. Active Directory
or OpenLDAP with "allow bind_anon_cred").
- CVE-2014-6316 (cross-site redirection)
When Mantis is installed at the web server's root, $g_short_path is set
to '/'. string_sanitize_url() removes the trailing '/' from the short
path, which causes the URL to be incorrectly categorized as "type 2",
thus allowing cross-site redirection to occur.
- CVE-2014-9117 (captcha bypass)
MantisBT before 1.2.18 uses the public_key parameter value as the key to
the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA
protection mechanism by leveraging knowledge of a CAPTCHA answer for a
public_key parameter value, as demonstrated by E4652 for the public_key
A remote attacker is able to bypass the authentication, execute
arbitrary code, perform sql injection, steal sessions via cross-site
scripting or disclosure sensitive information.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security