Date: Fri, 9 Sep 2011 14:44:15 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: calderon@...sec.mx, advisory@...ridge.ch, developer discussions <mantisbt-dev@...ts.sourceforge.net>, coley <coley@...re.org> Subject: Re: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS) Sorry this took so long. ----- Original Message ----- > Request #1: XSS injection via PHP_SELF > > Paulino Calderon from Websec reported an issue  against MantisBT 1.2.6 > whereby an attacker could craft URLs such that arbitrary HTML could be > inserted into page output. Users running MantisBT on a vanilla nginx > installation are unaffected because nginx will check to see whether the > full URL path exists and is valid (with an XSS injection string, it won't > be). Other web servers such as Apache won't perform these stringent > checks and are therefore MantisBT is vulnerable to this attack when > running on an Apache server. This attack does not require users to be > authenticated or logged into a MantisBT installation to be impacted by > this vulnerability. > > The same issue was identified by High-Tech Bridge Security Research Lab > with their advisory #HTB23045 available at . Paul Richards (MantisBT > developer) also discovered this issue during a routine audit. > > MantisBT bug reports with full details (including patches) are available > at  and . > Please use CVE-2011-3356 for the above. > > Request #2: LFI and XSS via bug_actiongroup_ext_page.php > > High-Tech Bridge Security Research Lab reported an issue against MantisBT > 1.2.7 whereby an attacker could include local system files via a > directory traversal/local file inclusion vulnerability in > bug_actiongroup_ext_page.php. > > Web server and/or PHP and/or operating system configuration will dictate > whether this vulnerability can be exploited. MantisBT will prepend > "bug_actiongroup_" prior to the attacker-supplied path. A suffix is > appended, but can be stripped off using a null character (%00). Some > environments (at least nginx and php-fpm 5.3) do not allow directory > traversal from a file or invalid path/file. Other environments do allow > directory traversal from file names (even invalid ones), for instance: > "bug_actiongroup_page.php/../private_file" or > "bug_actiongroup_/../private_file". > > This vulnerability can also allow an attacker to perform an XSS attack > (no login/session required with the MantisBT attacker) if PHP is > configured to display error messages. The error message from the > require_once() call is not sanitised by PHP prior to displaying it to the > user. Best (and therefore common) practice is to not display PHP error > messages to the end user, severely limiting the applicability of this > attack. > > Full details and patches are available at . Please use CVE-2011-3357 for the above. > > Request #3: XSS issues with unescaped os, os_build and platform > parameters on bug_report_page.php and bug_update_advanced_page.php > > High-Tech Bridge Security Research Lab reported an issue against MantisBT > 1.2.7 whereby an attacker could perform an XSS attack on users with > access to either bug_report_page.php or bug_update_advanced_page.php. In > default and typical MantisBT installations, this is limited to users that > are currently logged in. > > The cause of this problem is with the use of the ancient Projax library > (available at ) in the 1.2.x branch of MantisBT. Projax does not > escape value attributes when printing input form elements. In some > respects, this issue is also a bug with Projax however it may be a case > that users of this library are expected to provide values that are > already sanitised. MantisBT 1.3.x (master branch) uses jQuery instead of > Projax and is therefore not impacted by this vulnerability. > > Full details and patches are available at . > Please use CVE-2011-3358 for the above. > > > > Additional information: > > A new release (mantisbt-1.2.8) is being put together and will be > available shortly to download from mantisbt.org to resolve these 3 > vulnerabilities. Announcements will be made to > mantisbt-announce@...ts.sourceforge.net, mantisbt.org/blog, > #mantishelp > on irc.freenode.net and other usual channels. Major Linux > distributions > shipping mantisbt-1.2.x will also be informed. > > With thanks to: Paulino Calderon (Websec), High-Tech Bridge Security > Research Lab, Paul Richards (MantisBT) > > > > > References: > >  > https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html > >  http://www.mantisbt.org/bugs/view.php?id=13191 > >  http://www.mantisbt.org/bugs/view.php?id=13281 > >  http://www.ngcoders.com/projax/ >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.