Arch Linux Security Advisory ASA-201412-6
========================================
Severity: Critical
Date    : 2014-12-08
CVE-ID  : CVE-2014-9272 CVE-2014-9270 CVE-2014-8987 CVE-2014-9271
          CVE-2014-9281 CVE-2014-8986 CVE-2014-9269 CVE-2014-9280
          CVE-2014-9089 CVE-2014-9279 CVE-2014-8988 CVE-2014-8553
          CVE-2014-6387 CVE-2014-6316 CVE-2014-9117
Package : mantisbt
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package mantisbt before version 1.2.18-1 is suffering from multiple
issues including but not limited to code execution, sql injection,
authentication bypass, cross-site scripting and information disclosure.

Resolution
=========
Upgrade to 1.2.18-1.

# pacman -Syu "mantisbt>=1.2.18-1"

The problems have been fixed upstream in version 1.2.18.

Workaround
=========
None.

Description
==========
- CVE-2014-9272 (cross-side scripting)
The function "string_insert_hrefs" doesn't validate the protocol, which
is why one can make a link that executes arbitrary JavaScript code.

- CVE-2014-9270 (cross-side scripting)
The Projax library does not properly escape html strings. An attacker
could take advantage of this to perform an XSS attack using the
profile/Platform field.

- CVE-2014-8987 (cross-side scripting)
The MantisBT Configuration Report page (adm_config_report.php) did not
escape a parameter before displaying it on the page, allowing an
attacker to execute arbitrary JavaScript code.

- CVE-2014-9271 (cross-side scripting)
It's possible to upload Flash files and make open them inline by using
an image extension. Since Flash files can execute JavaScript this
becomes a persistent XSS.

- CVE-2014-9281 (cross-side scripting)
A missing sanity check in copy_field.php is leading to a reflected XSS
vulnerability which could be exploited f.e. by the dest_id parameter.

- CVE-2014-8986 (cross-side scripting)
Cross-site scripting (XSS) vulnerability in the selection list in the
filters in the Configuration Report page (adm_config_report.php) allows
remote administrators to inject arbitrary web script or HTML via a
crafted config option.

- CVE-2014-9269 (cross-side scripting)
Extended project browser allows projects to be passed in as A;B.
helper_get_current_project() and helper_get_current_project_trace() then
explodes the string by ';' and doesn't check that A is an int
(representing a project/sub-project id).
Finally, print_extended_project_browser() prints the result of the split
into a JavaScript array.

- CVE-2014-9280 (code execution)
PHP Object Injection in filter API in the function
current_user_get_bug_filter (core\current_user_api.php line 212). The
code loads a variable from $_GET['filter']/$_POST['filter'] and if it's
not numeric, feeds it straight into unserialize() on line 223.
The current_user_get_bug_filter function is called in 10 places, easiest
is just to access /view_filters_page.php.
A PoC initializing a class that's loaded could look like this:
/view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";}

- CVE-2014-9089 (sql injection)
Multiple SQL injection vulnerabilities in view_all_bug_page.php in
MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL
commands via the 'sort' or 'dir' parameter to view_all_set.php.
Both parameters are split into chunks on ','. After splitting, only the
first two values are validated. By supplying a third value, SQL
injection can be performed.

- CVE-2014-9279 (information disclosure)
Database credentials leak via unattended upgrade script will connect to
arbitrary host with the current DB config credentials. The unattended
upgrade script retrieved DB connection settings from POST parameters,
allowing an attacker to get the script to connect to their host with the
current DB config credentials.

- CVE-2014-8988 (information disclosure)
It is possible to bypass the $g_download_attachments_threshold and
$g_view_attachments_threshold restrictions and read attachments for
private projects by leveraging access to a project that does not
restrict access to attachments and a request to the download URL.

- CVE-2014-8553 (information disclosure)
No public information is available yet.

- CVE-2014-6387 (authentication bypass)
A flaw in gpc_api.php allows remote attackers to bypass authentication
via a password starting will a null byte, which triggers an
unauthenticated bind. A malicious user can exploit this vulnerability to
login as any registered user and without knowing their password, to
systems relying on LDAP for user authentication (e.g. Active Directory
or OpenLDAP with "allow bind_anon_cred").

- CVE-2014-6316 (cross-site redirection)
When Mantis is installed at the web server's root, $g_short_path is set
to '/'. string_sanitize_url() removes the trailing '/' from the short
path, which causes the URL to be incorrectly categorized as "type 2",
thus allowing cross-site redirection to occur.

- CVE-2014-9117 (captcha bypass)
MantisBT before 1.2.18 uses the public_key parameter value as the key to
the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA
protection mechanism by leveraging knowledge of a CAPTCHA answer for a
public_key parameter value, as demonstrated by E4652 for the public_key
value 0.

Impact
=====
A remote attacker is able to bypass the authentication, execute
arbitrary code, perform sql injection, steal sessions via cross-site
scripting or disclosure sensitive information.

References
=========
https://mantisbt.org/bugs/changelog_page.php
https://seclists.org/oss-sec/2014/q4/955
https://access.redhat.com/security/cve/CVE-2014-9272
https://mantisbt.org/bugs/view.php
https://access.redhat.com/security/cve/CVE-2014-9270
https://mantisbt.org/bugs/view.php
https://access.redhat.com/security/cve/CVE-2014-8987
https://mantisbt.org/bugs/view.php
https://access.redhat.com/security/cve/CVE-2014-9271
https://mantisbt.org/bugs/view.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9281
https://mantisbt.org/bugs/view.php
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8986
https://mantisbt.org/bugs/view.php
https://access.redhat.com/security/cve/CVE-2014-9269
https://mantisbt.org/bugs/view.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9280
https://mantisbt.org/bugs/view.php
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9089
https://mantisbt.org/bugs/view.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9279
https://mantisbt.org/bugs/view.php
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8988
https://mantisbt.org/bugs/view.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8553
https://mantisbt.org/bugs/view.php
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6387
https://mantisbt.org/bugs/view.php
https://access.redhat.com/security/cve/CVE-2014-6316
https://mantisbt.org/bugs/view.php
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9117
https://mantisbt.org/bugs/view.php

ArchLinux: 201412-6: mantisbt: multiple issues

December 8, 2014

Summary

- CVE-2014-9272 (cross-side scripting) The function "string_insert_hrefs" doesn't validate the protocol, which is why one can make a link that executes arbitrary JavaScript code. - CVE-2014-9270 (cross-side scripting) The Projax library does not properly escape html strings. An attacker could take advantage of this to perform an XSS attack using the profile/Platform field.
- CVE-2014-8987 (cross-side scripting) The MantisBT Configuration Report page (adm_config_report.php) did not escape a parameter before displaying it on the page, allowing an attacker to execute arbitrary JavaScript code.
- CVE-2014-9271 (cross-side scripting) It's possible to upload Flash files and make open them inline by using an image extension. Since Flash files can execute JavaScript this becomes a persistent XSS.
- CVE-2014-9281 (cross-side scripting) A missing sanity check in copy_field.php is leading to a reflected XSS vulnerability which could be exploited f.e. by the dest_id parameter.
- CVE-2014-8986 (cross-side scripting) Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) allows remote administrators to inject arbitrary web script or HTML via a crafted config option.
- CVE-2014-9269 (cross-side scripting) Extended project browser allows projects to be passed in as A;B. helper_get_current_project() and helper_get_current_project_trace() then explodes the string by ';' and doesn't check that A is an int (representing a project/sub-project id). Finally, print_extended_project_browser() prints the result of the split into a JavaScript array.
- CVE-2014-9280 (code execution) PHP Object Injection in filter API in the function current_user_get_bug_filter (core\current_user_api.php line 212). The code loads a variable from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it straight into unserialize() on line 223. The current_user_get_bug_filter function is called in 10 places, easiest is just to access /view_filters_page.php. A PoC initializing a class that's loaded could look like this: /view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";}
- CVE-2014-9089 (sql injection) Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the 'sort' or 'dir' parameter to view_all_set.php. Both parameters are split into chunks on ','. After splitting, only the first two values are validated. By supplying a third value, SQL injection can be performed.
- CVE-2014-9279 (information disclosure) Database credentials leak via unattended upgrade script will connect to arbitrary host with the current DB config credentials. The unattended upgrade script retrieved DB connection settings from POST parameters, allowing an attacker to get the script to connect to their host with the current DB config credentials.
- CVE-2014-8988 (information disclosure) It is possible to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.
- CVE-2014-8553 (information disclosure) No public information is available yet.
- CVE-2014-6387 (authentication bypass) A flaw in gpc_api.php allows remote attackers to bypass authentication via a password starting will a null byte, which triggers an unauthenticated bind. A malicious user can exploit this vulnerability to login as any registered user and without knowing their password, to systems relying on LDAP for user authentication (e.g. Active Directory or OpenLDAP with "allow bind_anon_cred").
- CVE-2014-6316 (cross-site redirection) When Mantis is installed at the web server's root, $g_short_path is set to '/'. string_sanitize_url() removes the trailing '/' from the short path, which causes the URL to be incorrectly categorized as "type 2", thus allowing cross-site redirection to occur.
- CVE-2014-9117 (captcha bypass) MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.

Resolution

Upgrade to 1.2.18-1. # pacman -Syu "mantisbt>=1.2.18-1"
The problems have been fixed upstream in version 1.2.18.

References

https://mantisbt.org/bugs/changelog_page.php https://seclists.org/oss-sec/2014/q4/955 https://access.redhat.com/security/cve/CVE-2014-9272 https://mantisbt.org/bugs/view.php https://access.redhat.com/security/cve/CVE-2014-9270 https://mantisbt.org/bugs/view.php https://access.redhat.com/security/cve/CVE-2014-8987 https://mantisbt.org/bugs/view.php https://access.redhat.com/security/cve/CVE-2014-9271 https://mantisbt.org/bugs/view.php https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9281 https://mantisbt.org/bugs/view.php https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8986 https://mantisbt.org/bugs/view.php https://access.redhat.com/security/cve/CVE-2014-9269 https://mantisbt.org/bugs/view.php https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9280 https://mantisbt.org/bugs/view.php https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9089 https://mantisbt.org/bugs/view.php https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9279 https://mantisbt.org/bugs/view.php https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8988 https://mantisbt.org/bugs/view.php https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8553 https://mantisbt.org/bugs/view.php https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6387 https://mantisbt.org/bugs/view.php https://access.redhat.com/security/cve/CVE-2014-6316 https://mantisbt.org/bugs/view.php https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9117 https://mantisbt.org/bugs/view.php

Severity
CVE-2014-9281 CVE-2014-8986 CVE-2014-9269 CVE-2014-9280
CVE-2014-9089 CVE-2014-9279 CVE-2014-8988 CVE-2014-8553
CVE-2014-6387 CVE-2014-6316 CVE-2014-9117
Package : mantisbt
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE-2014

Workaround

None.

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved