Date: Fri, 9 Sep 2011 14:44:15 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: calderon@...sec.mx, advisory@...ridge.ch, developer discussions <mantisbt-dev@...ts.sourceforge.net>, coley <coley@...re.org> Subject: Re: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS) Sorry this took so long. ----- Original Message ----- > Request #1: XSS injection via PHP_SELF > > Paulino Calderon from Websec reported an issue  against MantisBT 1.2.6 > whereby an attacker could craft URLs such that arbitrary HTML could be > inserted into page output. Users running MantisBT on a vanilla nginx > installation are unaffected because nginx will check to see whether the > full URL path exists and is valid (with an XSS injection string, it won't > be). Other web servers such as Apache won't perform these stringent > checks and are therefore MantisBT is vulnerable to this attack when > running on an Apache server. This attack does not require users to be > authenticated or logged into a MantisBT installation to be impacted by > this vulnerability. > > The same issue was identified by High-Tech Bridge Security Research Lab > with their advisory #HTB23045 available at . Paul Richards (MantisBT > developer) also discovered this issue during a routine audit. > > MantisBT bug reports with full details (including patches) are available > at  and . > Please use CVE-2011-3356 for the above. > > Request #2: LFI and XSS via bug_actiongroup_ext_page.php > > High-Tech Bridge Security Research Lab reported an issue against MantisBT > 1.2.7 whereby an attacker could include local system files via a > directory traversal/local file inclusion vulnerability in > bug_actiongroup_ext_page.php. > > Web server and/or PHP and/or operating system configuration will dictate > whether this vulnerability can be exploited. MantisBT will prepend > "bug_actiongroup_" prior to the attacker-supplied path. A suffix is > appended, but can be stripped off using a null character (%00). Some > environments (at least nginx and php-fpm 5.3) do not allow directory > traversal from a file or invalid path/file. Other environments do allow > directory traversal from file names (even invalid ones), for instance: > "bug_actiongroup_page.php/../private_file" or > "bug_actiongroup_/../private_file". > > This vulnerability can also allow an attacker to perform an XSS attack > (no login/session required with the MantisBT attacker) if PHP is > configured to display error messages. The error message from the > require_once() call is not sanitised by PHP prior to displaying it to the > user. Best (and therefore common) practice is to not display PHP error > messages to the end user, severely limiting the applicability of this > attack. > > Full details and patches are available at . Please use CVE-2011-3357 for the above. > > Request #3: XSS issues with unescaped os, os_build and platform > parameters on bug_report_page.php and bug_update_advanced_page.php > > High-Tech Bridge Security Research Lab reported an issue against MantisBT > 1.2.7 whereby an attacker could perform an XSS attack on users with > access to either bug_report_page.php or bug_update_advanced_page.php. In > default and typical MantisBT installations, this is limited to users that > are currently logged in. > > The cause of this problem is with the use of the ancient Projax library > (available at ) in the 1.2.x branch of MantisBT. Projax does not > escape value attributes when printing input form elements. In some > respects, this issue is also a bug with Projax however it may be a case > that users of this library are expected to provide values that are > already sanitised. MantisBT 1.3.x (master branch) uses jQuery instead of > Projax and is therefore not impacted by this vulnerability. > > Full details and patches are available at . > Please use CVE-2011-3358 for the above. > > > > Additional information: > > A new release (mantisbt-1.2.8) is being put together and will be > available shortly to download from mantisbt.org to resolve these 3 > vulnerabilities. Announcements will be made to > mantisbt-announce@...ts.sourceforge.net, mantisbt.org/blog, > #mantishelp > on irc.freenode.net and other usual channels. Major Linux > distributions > shipping mantisbt-1.2.x will also be informed. > > With thanks to: Paulino Calderon (Websec), High-Tech Bridge Security > Research Lab, Paul Richards (MantisBT) > > > > > References: > >  > https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html > >  http://www.mantisbt.org/bugs/view.php?id=13191 > >  http://www.mantisbt.org/bugs/view.php?id=13281 > >  http://www.ngcoders.com/projax/ >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ