[Mantis Advisory/2004-01] Various vulnerabilities in Mantis 0. Table of Contents 1. Introduction 2. Summary / Impact analysis 3. Affected versions 4. Workaround / Solution 5. Credit 6. Contact details 1. Introduction Mantis is an Open Source web-based bugtracking system, written in PHP, which uses the MySQL database server. It is being actively developed by a small group of developers, and is considered to be in the beta stage. 2. Summary / Impact analysis When configured, Mantis allows users to attach files to both bugs and projects. The script that allows users to download these files contained two vulnerabilities. First of all, the script did not check whether the user was allowed to view the attached files. This made it possible for anyone with an account on the installation (or through anonymous access) to view any file uploaded to the bug tracker. Secondly, the script did not properly initialise a variable used to build a SQL query. This made it possible for anyone with an account on the installation (or again with anonymous access) to execute an arbitrary query, under the permissions of the Mantis database user. A malicious user could elevate his access to the bug tracker, add, modify or delete any information in the bug tracker or (on misconfigured systems) modify or access information in other databases. However, only installations with 'register_globals' enabled in PHP are vulnerable to this attack. This option has been disabled by default since PHP 4.2.0. 3. Affected versions The following versions are affected: Mantis 0.18.2 Mantis 0.18.1 Mantis 0.18.0 (including all alpha versions) Mantis 0.17.5 Mantis 0.17.4a Mantis 0.17.4 Mantis 0.17.3 Mantis 0.17.2 Mantis 0.17.1 Mantis 0.17.0 4. Workaround / Solution Mantis 0.18.3 fixes this problem. Users are suggested to upgrade to this version when possible. The first problem (access to files) can be prevented by not attaching any files to bugs or projects, or possibly by replacing file_download.php with version from Mantis 0.18.3. The second problem can be prevented by disabling register_globals in PHP (for example using a php.ini file in the Mantis directory). Mantis will work fine with this option disabled. 5. Credit These vulnerabilities were discovered by Victor Boctor, a member of the Mantis development team. 7. Contact details The latest version of Mantis is always available from: http://mantisbt.org/ The current version is 0.18.3, which can be downloaded from http://mantisbt.org/download.php If you have any questions about this vulnerability, or wish to report another, you can contact the developers at: mailto:mantisbt-security@lists.sourceforge.net This is a private mailinglist, read only by a few developers.