Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Apr 2017 13:08:27 +0000
From: <7b4xrw+5q6jtt69cnwlw@...rrillamail.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: MantisBT - Full admin access vulnerability

A vulnerability exists in MantisBT where any users password can be reset:

Visiting /verify.php?id=XXX&confirm_hash=

where XXX is the userid of the user. id=1 is the default 'administrator' account if it still exists.

On a unpatched instance of mantisBT, this will provide a form to enter a new password for a user.

This works on any enabled account (including users with admin access) - providing an anonymous user with admin access to the system

The issue can be resolved by checking the value of $t_token_confirm_hash is not null in verify.php

i.e. changing the code to read:

if( $f_confirm_hash !== $t_token_confirm_hash || null === $t_token_confirm_hash ) {
	trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}





----
Sent using Guerrillamail.com
Block or report abuse: https://www.guerrillamail.com//abuse/?a=TlJnSB4FQKEHgRqt0HIWYQDUA8WA19lHxqhOMtz5Bg%3D%3D


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ