Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 04 Sep 2011 15:18:43 +1000
From: David Hicks <d@...id.au>
To: oss-security@...ts.openwall.com
Cc: calderon@...sec.mx, advisory@...ridge.ch, developer discussions
	 <mantisbt-dev@...ts.sourceforge.net>
Subject: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS,
 2xXSS)

Request #1: XSS injection via PHP_SELF

Paulino Calderon from Websec reported an issue [2] against MantisBT
1.2.6 whereby an attacker could craft URLs such that arbitrary HTML
could be inserted into page output. Users running MantisBT on a vanilla
nginx installation are unaffected because nginx will check to see
whether the full URL path exists and is valid (with an XSS injection
string, it won't be). Other web servers such as Apache won't perform
these stringent checks and are therefore MantisBT is vulnerable to this
attack when running on an Apache server. This attack does not require
users to be authenticated or logged into a MantisBT installation to be
impacted by this vulnerability.

The same issue was identified by High-Tech Bridge Security Research Lab
with their advisory #HTB23045 available at [1]. Paul Richards (MantisBT
developer) also discovered this issue during a routine audit.

MantisBT bug reports with full details (including patches) are available
at [2] and [3].




Request #2: LFI and XSS via bug_actiongroup_ext_page.php

High-Tech Bridge Security Research Lab reported an issue against
MantisBT 1.2.7 whereby an attacker could include local system files via
a directory traversal/local file inclusion vulnerability in
bug_actiongroup_ext_page.php.

Web server and/or PHP and/or operating system configuration will dictate
whether this vulnerability can be exploited. MantisBT will prepend
"bug_actiongroup_" prior to the attacker-supplied path. A suffix is
appended, but can be stripped off using a null character (%00). Some
environments (at least nginx and php-fpm 5.3) do not allow directory
traversal from a file or invalid path/file. Other environments do allow
directory traversal from file names (even invalid ones), for instance:
"bug_actiongroup_page.php/../private_file" or
"bug_actiongroup_/../private_file".

This vulnerability can also allow an attacker to perform an XSS attack
(no login/session required with the MantisBT attacker) if PHP is
configured to display error messages. The error message from the
require_once() call is not sanitised by PHP prior to displaying it to
the user. Best (and therefore common) practice is to not display PHP
error messages to the end user, severely limiting the applicability of
this attack.

Full details and patches are available at [3].




Request #3: XSS issues with unescaped os, os_build and platform
parameters on bug_report_page.php and bug_update_advanced_page.php

High-Tech Bridge Security Research Lab reported an issue against
MantisBT 1.2.7 whereby an attacker could perform an XSS attack on users
with access to either bug_report_page.php or
bug_update_advanced_page.php. In default and typical MantisBT
installations, this is limited to users that are currently logged in.

The cause of this problem is with the use of the ancient Projax library
(available at [4]) in the 1.2.x branch of MantisBT. Projax does not
escape value attributes when printing input form elements. In some
respects, this issue is also a bug with Projax however it may be a case
that users of this library are expected to provide values that are
already sanitised. MantisBT 1.3.x (master branch) uses jQuery instead of
Projax and is therefore not impacted by this vulnerability.

Full details and patches are available at [3].




Additional information:

A new release (mantisbt-1.2.8) is being put together and will be
available shortly to download from mantisbt.org to resolve these 3
vulnerabilities. Announcements will be made to
mantisbt-announce@...ts.sourceforge.net, mantisbt.org/blog, #mantishelp
on irc.freenode.net and other usual channels. Major Linux distributions
shipping mantisbt-1.2.x will also be informed.

With thanks to: Paulino Calderon (Websec), High-Tech Bridge Security
Research Lab, Paul Richards (MantisBT)




References:

[1]
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

[2] http://www.mantisbt.org/bugs/view.php?id=13191

[3] http://www.mantisbt.org/bugs/view.php?id=13281

[4] http://www.ngcoders.com/projax/




Thanks,

David Hicks
MantisBT Developer
mantisbt.org, #mantishelp irc.freenode.net

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ