View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003660 | mantisbt | security | public | 2004-03-18 03:34 | 2006-10-09 11:54 |
Reporter | vboctor | Assigned To | jlatour | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 0.18.2 | ||||
Summary | 0003660: Ability to execute arbitrary SQL statement if register_globals = ON | ||||
Description | file_download.php only initialises the $query variable, if the file type is "bug" or "dog", otherwise it is left uninitialised, and executed. This will allow a hacker to execute any query for installations that have register_globals = on in php. This can allow a hacker to delete data from tables, or even drop databases/tables if the mantis db user has such access. | ||||
Tags | No tags attached. | ||||
Attached Files | file_download_sec.patch (2,100 bytes)
Index: file_download.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/file_download.php,v retrieving revision 1.25 diff -u -u -r1.25 file_download.php --- file_download.php 11 Jan 2004 07:16:06 -0000 1.25 +++ file_download.php 18 Mar 2004 11:43:02 -0000 @@ -25,12 +25,10 @@ $f_type = gpc_get_string( 'type' ); $c_file_id = (integer)$f_file_id; - #access_ensure_project_level( config_get( 'handle_bug_threshold' ) ); - # @@@ We need a security check here but we need the API to - # get the project_id or bug_id from the file first. # we handle the case where the file is attached to a bug # or attached to a project as a project doc. + $query = ''; switch ( $f_type ) { case 'bug': $t_bug_file_table = config_get( 'mantis_bug_file_table' ); @@ -44,11 +42,29 @@ FROM $t_project_file_table WHERE id='$c_file_id'"; break; + default: + access_denied(); } $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, 'v' ); + # Check access rights + switch ( $f_type ) { + case 'bug': + if ( ! bug_is_user_reporter( $v_bug_id, auth_get_current_user_id() ) ) { + access_ensure_bug_level( config_get( 'view_attachments_threshold' ), $v_bug_id ); + } + break; + case 'doc': + # Check if project documentation feature is enabled. + if ( OFF == config_get( 'enable_project_documentation' ) ) { + access_denied(); + } + + access_ensure_project_level( config_get( 'view_proj_doc_threshold' ), $v_project_id ); + break; + } header( 'Content-type: ' . $v_file_type ); header( 'Content-Length: ' . $v_filesize ); header( 'Content-Disposition: filename=' . file_get_display_name( $v_filename ) ); @@ -60,7 +76,7 @@ if ( file_exists( $v_diskfile ) ) { readfile( $v_diskfile ); } - break; + break; case FTP: if ( file_exists( $v_diskfile ) ) { readfile( $v_diskfile ); @@ -70,7 +86,7 @@ file_ftp_disconnect( $ftp ); readfile( $v_diskfile ); } - break; + break; default: echo $v_content; } 2004-01.txt (2,830 bytes)
[Mantis Advisory/2004-01] Various vulnerabilities in Mantis 0. Table of Contents 1. Introduction 2. Summary / Impact analysis 3. Affected versions 4. Workaround / Solution 5. Credit 6. Contact details 1. Introduction Mantis is an Open Source web-based bugtracking system, written in PHP, which uses the MySQL database server. It is being actively developed by a small group of developers, and is considered to be in the beta stage. 2. Summary / Impact analysis When configured, Mantis allows users to attach files to both bugs and projects. The script that allows users to download these files contained two vulnerabilities. First of all, the script did not check whether the user was allowed to view the attached files. This made it possible for anyone with an account on the installation (or through anonymous access) to view any file uploaded to the bug tracker. Secondly, the script did not properly initialise a variable used to build a SQL query. This made it possible for anyone with an account on the installation (or again with anonymous access) to execute an arbitrary query, under the permissions of the Mantis database user. A malicious user could elevate his access to the bug tracker, add, modify or delete any information in the bug tracker or (on misconfigured systems) modify or access information in other databases. However, only installations with 'register_globals' enabled in PHP are vulnerable to this attack. This option has been disabled by default since PHP 4.2.0. 3. Affected versions The following versions are affected: Mantis 0.18.2 Mantis 0.18.1 Mantis 0.18.0 (including all alpha versions) Mantis 0.17.5 Mantis 0.17.4a Mantis 0.17.4 Mantis 0.17.3 Mantis 0.17.2 Mantis 0.17.1 Mantis 0.17.0 4. Workaround / Solution Mantis 0.18.3 fixes this problem. Users are suggested to upgrade to this version when possible. The first problem (access to files) can be prevented by not attaching any files to bugs or projects, or possibly by replacing file_download.php with version from Mantis 0.18.3. The second problem can be prevented by disabling register_globals in PHP (for example using a php.ini file in the Mantis directory). Mantis will work fine with this option disabled. 5. Credit These vulnerabilities were discovered by Victor Boctor, a member of the Mantis development team. 7. Contact details The latest version of Mantis is always available from: http://mantisbt.org/ The current version is 0.18.3, which can be downloaded from http://mantisbt.org/download.php If you have any questions about this vulnerability, or wish to report another, you can contact the developers at: mailto:mantisbt-security@lists.sourceforge.net This is a private mailinglist, read only by a few developers. | ||||
What do you think of this vulnerability? |
|
The advisory looks really good. Just two comments:
The latest version of Mantis is always available from: The current version is 0.18.3, which can be downloaded from
|
|
I'm not sure how to proceed. Send this with the announcement? Send it also to bugtraq and such? |
|
MantisBT: master c5985163 2004-03-18 06:47 Details Diff |
Fixed security bugs 0003660 (arbitrary SQL statement execution through file_download.php) and 0003661 (file_download.php does not check access) git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2446 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0003660 |
|
mod - doc/ChangeLog | Diff File | ||
mod - file_download.php | Diff File |