-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #7 | Feb 14th, 2006 | --------------------------------------------------- | Vendor | Mantis BT | | URL | http://www.mantisbt.org/ | | Version | <= Mantis 1.00rc4 | | Risk | Moderate | --------------------------------------------------- o Description: ============= Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Visit http://www.mantisbt.org/ for detailed information. o SQL-Injection: =============== > > /manage_user_page.php: GET: <?sort=last_visit'> The manipulated data of the sort parameter is saved into "MANTIS_MANAGE_COOKIE" cookie. The value of the cookie is inserted into a SQL query and everytime the page is loaded a MySQL database error is displayed. > > You have an error in your SQL syntax; check the manual that > > corresponds to your MySQL server version for the right syntax > > to use near '\"> ASC' at line 4 for the query: > > SELECT * > > FROM mantis_user_table > > WHERE (1 = 1) > > ORDER BY last_visit\' AS Unexploitable SQL-Injection, temporary defacement. o XSS: ===== > > /view_all_set.php: GET: <?type=1&handler_id=1&hide_status=[XSS]> GET: <?type=1&handler_id=[XSS]> GET: <?type=1&temporary=y&user_monitor=[XSS]> GET: <?type=1&temporary=y&reporter_id=[XSS]> GET: <?type=6&view_type=[XSS]> GET: <?type=1&show_severity=[XSS]> GET: <?type=1&show_category=[XSS]> GET: <?type=1&show_status=[XSS]> GET: <?type=1&show_resolution=[XSS]> GET: <?type=1&show_build=[XSS]> GET: <?type=1&show_profile=[XSS]> GET: <?type=1&show_priority=[XSS]> GET: <?type=1&highlight_changed=[XSS]> GET: <?type=1&relationship_type=[XSS]> GET: <?type=1&relationship_bug=[XSS]> > > /manage_user_page.php: GET: <?sort=[XSS]> > > /view_filters_page.php: GET: </view_filters_page.php?view_type=[XSS]> > > /proj_doc_delete.php: GET: <?file_id=1&title=[XSS]> o Disclosure Timeline: ===================== 08 Oct 05 - Security flaws discovered. 17 Nov 05 - Vendor contacted. 15 Dec 05 - Vendor contacted again. 18 Dec 05 - Vendor confirmed vulnerabilities. 18 Dec 05 - Vendor released partly bugfixed version. 19 Dec 05 - Vendor contacted again. 03 Feb 06 - Vendor released bugfixed version. 14 Feb 06 - Public release. o Solution: ========== Upgrade to Mantis 1.0.0. [1] o Credits: ========= Thomas Waldegger <bugtraq@xxxxxxxxxxxx> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt [1] http://www.mantisbt.org/download.php -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw Yw3XgTq5MxLHSGX7hExkDpQ= =nRmi -----END PGP SIGNATURE-----
