what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MantisBT 1.2.17 XSS / Improper Access Control / SQL Injection

MantisBT 1.2.17 XSS / Improper Access Control / SQL Injection
Posted Jan 29, 2015
Authored by High-Tech Bridge SA | Site htbridge.com

MantisBT version 1.2.17 suffers from improper access control, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2014-9571, CVE-2014-9572, CVE-2014-9573
SHA-256 | 66702fafa02a9dbc923285c073b3f395b675adad64da5dfa2394ca10e6440fd2

MantisBT 1.2.17 XSS / Improper Access Control / SQL Injection

Change Mirror Download
Advisory ID: HTB23243
Product: MantisBT
Vendor: MantisBT Team
Vulnerable Version(s): 1.2.17 and probably prior
Tested Version: 1.2.17
Advisory Publication: December 3, 2014 [without technical details]
Vendor Notification: December 3, 2014
Vendor Patch: January 25, 2015
Public Disclosure: January 28, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284], SQL Injection [CWE-89]
CVE References: CVE-2014-9571, CVE-2014-9572, CVE-2014-9573
Risk Level: Medium
CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to perform Cross-Site Scripting (XSS) and SQL injection attacks. Improper access control vulnerability discloses database's credentials (login and password) in plaintext.


1) Cross-Site Scripting (XSS) in MantisBT: CVE-2014-9571

Vulnerabilities described in this section can be used by attackers to steal cookies of application’s administrator and other website users. Attackers can also perform spear phishing attacks against web site visitors by replacing original content of the web site with arbitrary HTML and script code, perform drive-by-download attacks by injecting malware into web pages, and bypass existing CSRF protection mechanism.

The vulnerability exists due to insufficient filtration of input data passed via the "admin_username" and "admin_password" HTTP GET parameters to "/[admin]/install.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Below are two exploitation examples that use the "alert()" JavaScript function to display "immuniweb" word:

http://mantis/[admin]/install.php?install=1&admin_username=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://mantis/[admin]/install.php?install=1&admin_password=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

Note, that "[admin]" in the URL is changed by default during MantisBT installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases.


2) Improper Access Control in MantisBT: CVE-2014-9572

The vulnerability exists due to insufficient access restrictions to the installation script "/[admin]/install.php" when HTTP GET "install" parameter is set to "4". A remote unauthenticated attacker can access the installation script and obtain database access credentials, which are stored in plain text in hidden form fields.

An attacker can use the following URL to access the page an obtain database credentials (login and password) in plaintext:

http://mantis/[admin]/install.php?install=4

Note, that "[admin]" in the URL is changed by default during installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases.


3) SQL Injection in MantisBT: CVE-2014-9573

The vulnerability can be used to manipulate existing SQL queries. An attacker can obtain potentially sensitive data and use it to elevate privileges within the application. It is also possible for certain configurations to upload a backdoor and gain complete access to the webserver or website.

The vulnerability exists due to insufficient filtration of the "MANTIS_MANAGE_USERS_COOKIE" HTTP COOKIE in "/manage_user_page.php" script. A remote user with administrative privileges can inject and execute arbitrary SQL code within the application’s database.

The exploit code below modifies the SQL query and injects malicious "INTO OUTFILE" statement. As a result,current MySQL user login will be written into the "/var/www/file.txt" file:


GET /manage_user_page.php?hideinactive=0 HTTP/1.1
Host: mantis
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: MANTIS_MANAGE_USERS_COOKIE=0%3Ausername%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20%3A1%3A0
Connection: keep-alive


Successful exploitation requires that the MySQL account has FILE privileges within the database.

To exploit this vulnerability an attacker must create a specially crafted cookie for the application administrator. This can be achieved using XSS vulnerabilities, described in paragraph 1 of this advisory.


-----------------------------------------------------------------------------------------------

Solution:

Update to MantisBT 1.2.19

More Information:
http://www.mantisbt.org/bugs/view.php?id=17937
https://www.mantisbt.org/bugs/changelog_page.php?version_id=238

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23243 - Multiple vulnerabilities in MantisBT.
[2] MantisBT - http://www.mantisbt.org/ - MantisBT is an open source issue tracker that provides a delicate balance between simplicity and power.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close