Debian Bug report logs - #640297
MantisBT <1.2.8 multiple vulnerabilities (LFI/XSS/remote arbitrary code execution)

version graph

Package: mantis; Maintainer for mantis is Silvia Alvarez <sils@powered-by-linux.com>; Source for mantis is src:mantis.

Reported by: David Hicks <d@hx.id.au>

Date: Sun, 4 Sep 2011 06:51:01 UTC

Severity: critical

Tags: fixed-upstream, patch, security, upstream

Found in version mantis/1.2.6-1

Fixed in version mantis/1.2.7-1

Done: Silvia Alvarez <sils@powered-by-linux.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Silvia Alvarez <sils@powered-by-linux.com>:
Bug#640297; Package mantis. (Sun, 04 Sep 2011 06:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Hicks <d@hx.id.au>:
New Bug report received and forwarded. Copy sent to Silvia Alvarez <sils@powered-by-linux.com>. (Sun, 04 Sep 2011 06:51:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: David Hicks <d@hx.id.au>
To: submit@bugs.debian.org
Cc: sils@powered-by-linux.com, midget@debian.org
Subject: MantisBT <1.2.8 multiple vulnerabilities (LFI/XSS/remote arbitrary code execution)
Date: Sun, 04 Sep 2011 16:47:12 +1000
[Message part 1 (text/plain, inline)]
Package: mantis
Version: 1.2.6-1
Severity: critical
Tags: security patch upstream fixed-upstream

Hi Sils and others,

Thank you for the quick response to bug #638321 (search.php multiple XSS
vulnerabilities in <mantisbt-1.2.7). Unfortunately a number of other
vulnerabilities have been discovered which will work against all 1.2.x
releases of MantisBT:

1) XSS injection via PHP_SELF
2) LFI and XSS via bug_actiongroup_ext_page.php
3) XSS issues with unescaped os, os_build and platform parameters on
bug_report_page.php and bug_update_advanced_page.php

Details of these vulnerabilities are provided at [1], [2] and [3]. CVE
requests have been submitted to the oss-security mailing list as per
[1].

The LFI vulnerability in bug_actiongroup_ext_page.php has the potential
to allow malicious users to upload arbitrary PHP scripts via MantisBT
bug attachments and then execute these malicious scripts. See
oss-security@lists.openwall.com and mantisbt-dev@lists.sourceforge.net
discussion threads for further information. Users would first need to
change the file upload method from storing attachments in the database
to storing them on the disk in order to be vulnerable to this extended
remote arbitrary code execution attack). However, if the same web server
uid/gid is used across multiple web applications, attachments stored on
the disk from another web application could be executed.

The minimum required patches to resolve these issues are available at
[4], [5], [6] and [7] and should apply cleanly to MantisBT 1.2.7
(probably 1.2.6 as well). The LFI patches ([4] and [5]) are a bit larger
than hoped for in a security fix. The do however aim to resolve the
issue in the most robust and future-proofed way possible.

Please advise if assistance is required in preparing alternative patches
for earlier versions of MantisBT. I'm able to help with resolving merge
conflicts, providing simpler bandaid patches, etc.

Thanks,

David Hicks
MantisBT Developer

[1] http://www.openwall.com/lists/oss-security/2011/09/04/1
[2] http://www.mantisbt.org/bugs/view.php?id=13191
[3] http://www.mantisbt.org/bugs/view.php?id=13281
[4]
https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d
[5]
https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f
[6]
https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034
[7]
https://github.com/mantisbt/mantisbt/commit/0a636b37d3425aea7b781e7f25eaeb164ac54a3d
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Silvia Alvarez <sils@powered-by-linux.com>:
Bug#640297; Package mantis. (Mon, 05 Sep 2011 13:15:46 GMT) Full text and rfc822 format available.

Acknowledgement sent to sils@powered-by-linux.com:
Extra info received and forwarded to list. Copy sent to Silvia Alvarez <sils@powered-by-linux.com>. (Mon, 05 Sep 2011 13:15:51 GMT) Full text and rfc822 format available.

Message #10 received at 640297@bugs.debian.org (full text, mbox):

From: sils <sils@powered-by-linux.com>
To: 640297@bugs.debian.org, developer discussions <mantisbt-dev@lists.sourceforge.net>, d@hx.id.au
Subject: XSS vulnerability dues to usage of PHP_SELF : Not fixed
Date: Mon, 05 Sep 2011 15:14:07 +0200
[Message part 1 (text/plain, inline)]
Hi David,

Thanks a lot for the extended report about these issues [1] on debian BTS.

I took a look at code on github for the needed changes, I test them on
1.2.7 (which we are working on, instead of 1.2.6-1, which it would be
replace with 1.2.7). I create the patches from the minimum required code
to resolve these issues, and they were applied cleanly.

But the bugs were not fixed at all.

1) XSS injection via PHP_SELF ([2],[3])

The problem, sure, is related with PHP_SELF, but this patch [3] just fix
the setup/control of global variable $g_path. And do not solved the
problem in 1.2.6 or 1.2.7.

The XSS injection is continued producing, because of the function
"form_action_self". This function is used to generate a form action
value when forms are designed to be submitted to the same url.

core/form_api.php:function form_action_self()

This function affected to other functions as:
helper_ensure_confirmed()
auth_reauthenticate()

This function return:  basename($_SERVER['PHP_SELF']);

In 1.2.7 release (1.2.6 too), this function is applied on this source:

core/authentication_api.php
core/helper_api.php
billing_inc.php
bugnote_stats_inc.php
manage_config_email_page.php
manage_config_workflow_page.php
manage_config_work_threshold_page.php

Then, all the pages which includes this function on 1.2.6/1.2.7 version
will be vulnerable.

I noticed, taking a look on github, that in master branch this function
had been deprecated (removed) from source code.

I could create a patch to solved this issue, but which one would be the
best solution?

a) remove the form_action_self() from all pages
b) change the form_action_self() in core/form_api.php

I don't know if we remove form_action_self() from all pages, would have
other implications or will crash something around the code. I just
compare 1.2.8 branch in github and I realized about it was removed.

I hope, this could help, and we wait for your reply, because we don't
want to spare much time with a open CVE issue in the package.

I offer me self to create this patch, don't worry about this, but I need
to know the implications or which is the best option.

Thanks a lot for your help.

Regards,

Sils

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297
[2] http://www.mantisbt.org/bugs/view.php?id=13191
[3]
https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Silvia Alvarez <sils@powered-by-linux.com>:
Bug#640297; Package mantis. (Mon, 05 Sep 2011 14:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Hicks <d@hx.id.au>:
Extra info received and forwarded to list. Copy sent to Silvia Alvarez <sils@powered-by-linux.com>. (Mon, 05 Sep 2011 14:06:03 GMT) Full text and rfc822 format available.

Message #15 received at 640297@bugs.debian.org (full text, mbox):

From: David Hicks <d@hx.id.au>
To: sils@powered-by-linux.com
Cc: 640297@bugs.debian.org, developer discussions <mantisbt-dev@lists.sourceforge.net>
Subject: Re: XSS vulnerability dues to usage of PHP_SELF : Not fixed
Date: Mon, 05 Sep 2011 23:56:18 +1000
[Message part 1 (text/plain, inline)]
Hi Sils,

Thank you for debugging this issue further and discovering the
additional problem with form_action_self().

On Mon, 2011-09-05 at 15:14 +0200, sils wrote:
> The XSS injection is continued producing, because of the function
> "form_action_self". This function is used to generate a form action
> value when forms are designed to be submitted to the same url.

Agreed, good catch. I just grepped the source code and am troubled to
find PHP_SELF used in most of the libraries MantisBT 1.2.x depends upon:
JpGraph, NuSOAP and ADOdb. From my experience with these codebases I can
almost guarantee they will have issues with PHP_SELF usage. I'll have to
take a look at these in the following days to confirm.

> This function return:  basename($_SERVER['PHP_SELF']);

In this case, use of PHP_SELF is not really necessary because we're only
after the basename component (view_all_bugs.php, bug_report_page.php,
etc). While it's possible that users have setup rewrite rules within
their HTTP daemon to remap file names, this is an unlikely scenario and
is probably already broken with the use PHP_SELF.

> a) remove the form_action_self() from all pages

I think this would be hard to achieve because we'd have to change some
APIs within MantisBT 1.2.x (potentially breaking plugins) to pass
through form names.

> b) change the form_action_self() in core/form_api.php

This strikes me as being the easiest and safest approach (not breaking
anything else) for the 1.2.x branch.

I've created and committed a patch [1] that swaps PHP_SELF for
SCRIPT_NAME in this function. I've also gone through and applied proper
escaping to URLs in the action attribute where we use the return value
of form_action_self().

> I hope, this could help, and we wait for your reply, because we don't
> want to spare much time with a open CVE issue in the package.

Agreed. Thank you very much for your help with these vulnerabilities.

Please let me know if I can be on any further assistance. Hopefully we
have all the patches needed in the master-1.2.x tree to resolve all
known outstanding vulnerabilities.

Regards,

David

[1]
https://github.com/mantisbt/mantisbt/commit/e679a1c02978ba1b811959dedc358598fc595458
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Silvia Alvarez <sils@powered-by-linux.com>:
Bug#640297; Package mantis. (Mon, 05 Sep 2011 15:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to sils@powered-by-linux.com:
Extra info received and forwarded to list. Copy sent to Silvia Alvarez <sils@powered-by-linux.com>. (Mon, 05 Sep 2011 15:39:03 GMT) Full text and rfc822 format available.

Message #20 received at 640297@bugs.debian.org (full text, mbox):

From: sils <sils@powered-by-linux.com>
To: 640297@bugs.debian.org
Cc: developer discussions <mantisbt-dev@lists.sourceforge.net>
Subject: Re: Bug#640297: XSS vulnerability dues to usage of PHP_SELF : Not fixed
Date: Mon, 05 Sep 2011 17:36:27 +0200
[Message part 1 (text/plain, inline)]
Thanks David,

Everything works perfect. I apply all the patches, including the new one
(really appreciated), and all the issues are gone :-)

In a while I'm going to upload into the repo the 1.2.7-1 version to
close all these issues. No matter if tomorrow we have 1.2.8, I will push
it again :-)

BTW in debian package versions < 1.2.x (debian stable, old stable), all
these bugs are not applicable, I'm going to create the needed ones, If I
have some troubles I will ask for some help, if you don't mind, of course.

Thanks a lot, really.

Great job Team!

Cheers,

Sils

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Silvia Alvarez <sils@powered-by-linux.com>:
You have taken responsibility. (Mon, 05 Sep 2011 19:21:16 GMT) Full text and rfc822 format available.

Notification sent to David Hicks <d@hx.id.au>:
Bug acknowledged by developer. (Mon, 05 Sep 2011 19:21:16 GMT) Full text and rfc822 format available.

Message #25 received at 640297-close@bugs.debian.org (full text, mbox):

From: Silvia Alvarez <sils@powered-by-linux.com>
To: 640297-close@bugs.debian.org
Subject: Bug#640297: fixed in mantis 1.2.7-1
Date: Mon, 05 Sep 2011 19:17:58 +0000
Source: mantis
Source-Version: 1.2.7-1

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_1.2.7-1.debian.tar.gz
  to main/m/mantis/mantis_1.2.7-1.debian.tar.gz
mantis_1.2.7-1.dsc
  to main/m/mantis/mantis_1.2.7-1.dsc
mantis_1.2.7-1_all.deb
  to main/m/mantis/mantis_1.2.7-1_all.deb
mantis_1.2.7.orig.tar.gz
  to main/m/mantis/mantis_1.2.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 640297@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Silvia Alvarez <sils@powered-by-linux.com> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 05 Sep 2011 20:41:13 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.2.7-1
Distribution: unstable
Urgency: high
Maintainer: Silvia Alvarez <sils@powered-by-linux.com>
Changed-By: Silvia Alvarez <sils@powered-by-linux.com>
Description: 
 mantis     - web-based bug tracking system
Closes: 640061 640297
Changes: 
 mantis (1.2.7-1) unstable; urgency=high
 .
   * Security Upstream Release (1.2.7)
   * Urgency high: Fixes critical LFI/XSS vulnerabilites
   * debian/NEWS: updated
   * debian/README.Debian: updated
   * debian/doc/README.LDAP: updated
   * debian/po debconf translations:
     + Added Swedish translation, thanks to
        Martin Bagge (Closes: #640061)
     + Fixed Language Field: sv
   * debian/patches:
     + dropped:
       000-fix-security-bug-bts-638321-filterapi-multiple-XSS.diff
       Bug fixed in new upstream release.
    + updated:
       000-cleanup-gitignore-file-from-orignal-tarball.diff
    + added: Multiple vulnerabilities (LFI/XSS/Projax/PHPSELF)
      Thanks to David Hicks, MantisBT developer. (Closes: #640297)
      000-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff
      000-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff
      000-Fix-640297-LFI-XSS-injection-via-PHPSELF.diff
      000-Fix-640297-Projax-XSS-injection.diff
Checksums-Sha1: 
 2dc4fa1aa4036bc8a44ee6e93bb09ecff9d4013c 1829 mantis_1.2.7-1.dsc
 c28e11e32e1b8b1ea631f056c32d05c7e51aa927 3280933 mantis_1.2.7.orig.tar.gz
 7abe1796b17898cf6cce741ad1643e2257df702f 58763 mantis_1.2.7-1.debian.tar.gz
 60da7c4ce63fd23bc3c123f3c0210fc70424e1c9 2074010 mantis_1.2.7-1_all.deb
Checksums-Sha256: 
 462971bfffb999c18f424f0aad568683371a03ac3423b54784b4353b3dd8d08d 1829 mantis_1.2.7-1.dsc
 8a0ba6e3b7310743c5a52bf9b771f29988d11497e21336eef833fd7e73c9a717 3280933 mantis_1.2.7.orig.tar.gz
 143b561da266daaf78159bed7438371bc56b00f7fb414eb1069ced9d15d05054 58763 mantis_1.2.7-1.debian.tar.gz
 e3cea06ab6064aaec1c6832d01aa775e5f2aa9a5b99c0264bdbd334cc6ff7438 2074010 mantis_1.2.7-1_all.deb
Files: 
 3f4413889462fb3d7a6c98fc26fb0396 1829 web optional mantis_1.2.7-1.dsc
 b78a10db186db2ad815007aee3d0ae86 3280933 web optional mantis_1.2.7.orig.tar.gz
 55fafb0eaf209ecdd86f7e61e6290785 58763 web optional mantis_1.2.7-1.debian.tar.gz
 17b549732afca26dec84f042b5435773 2074010 web optional mantis_1.2.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOZR61AAoJEKgvu4Pz1XAzoW4P/R3aYgj9qjABKNWFwfOZcPBH
ogqlTXHDAikAMNZr7mYbUttFto02u+Sv9Bki/slSOC28R1BKES9tlhNj8NuGL2oB
Im3TuuetfP/oeLKfkbiHr84W0pgN9/VtO+mbHyHcTeleAsHQsUxXszK4ZeEdxbuQ
UBWAAwCwxLGvjI3xi9N/Z3tRO1lHNyAWgj0lbhEcA/OpYbxnIMNmTcmpeUY4IqjP
55//bnaj0zM5MrbiPaWHLZ1DhImMp72xc91+6zWXTnNp72gVaVIyhXAhInrnO1Uo
Wi9ABEq8OhFmrnKDu0WRhbetIAxb7QZ/SGQp5dXZQ7YFu61plhGOiITFISZekJXd
BpImvb8KlbtC4HCaq5Yhn9CUNs5hQw8/Rgtp1v4SVOK3uDZjnYlT5Lxdc9Oh4zZc
VyZj9arP4n0k4ElusVIgSd7e7u56suZAcEbZurzbff4SYJ/WNFm/QCutwndlb7hB
4YJw2VEQDBXbILQ9BvnsnoHCDasC+gClS0VqRH+EWgtbodF+Jzq5dC0noZRVtjym
crNwGWrP3ZKIJjId2505jzcyTG5vBEeDJU3SSFLbdBMJy0qtl8x7+bJHK0ZYmIe1
0HRQtN1LQHwPhJCDqDV4f/CvPC0mjV4YCJy7LrWNWni55wEUHomRNhWgDI+xkO4h
fYVp6hzx19y+cpcjPnsR
=p/9x
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 06 Oct 2011 07:37:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 05:38:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.