[Mantis Advisory/2002-01] SQL poisoning vulnerability in Mantis

From: Jeroen Latour (jlatourat_private)
Date: Sun Aug 18 2002 - 23:47:27 PDT

Next message: Mike Bommarito: "Weak MySQL Default Configuration on Windows"

Previous message: Abraham Lincoln: "Kerio Mail Server Multiple Security Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Mantis Advisory/2002-01] SQL poisoning vulnerability in Mantis

   0. Table of Contents

     1. Introduction
     2. Summary / Impact analysis
     3. Affected versions
     4. Workaround / Solution
     5. Detailed explanation
     6. Contact details

   1. Introduction

Mantis is an Open Source web-based bugtracking system, written in PHP, 
which uses the MySQL database server. It is being actively developed by a 
small group of developers, and is considered to be in the beta stage.

In response to the increased number of users and to the increasing number 
of discovered security vulnerabilities, the Mantis team has decided to 
start releasing advisories for all vulnerabilities in versions higher than 
0.17.0. This is the first in a series of advisories which cover the 
previously discovered vulnerabilities in greater detail.

   2. Summary / Impact analysis

Older versions of Mantis do not check all user input, especially if they do 
not come directly from form fields. This opens up a wide variety of SQL 
poisoning vulnerabilities on systems without magic_quotes_gpc enabled. Most 
of these vulnerabilities are only exploitable in a limited manner, since it 
is no longer possible to execute multiple queries using one call to 
mysql_query().

There is one query which can be tricked into changing an account's access 
level, which means that a malicious user, with an account on the Mantis 
installation, can make himself (m/f) an administrator of that Mantis 
installation. This particular vulnerability has been fixed in version 0.17.3.

Note: Other vulnerabilities, caused by the same lack of input checking, may 
exist!

   3. Affected versions

The following versions are known to be affected:
   Mantis 0.17.2

The following versions are known to be unaffected:
   Mantis 0.17.4a (*)
   Mantis 0.17.4 (*)
   Mantis 0.17.3 (*)

The following versions are presumed to be affected:
   All versions below Mantis 0.17.2

* = But read the note in section 2.

   4. Workaround / Solution

Mantis 0.17.3 fixes the exploitable query mentioned in section 2.
All users are recommended to upgrade to the latest version, currently 0.17.4.

Since this vulnerability was discovered, coding guidelines have been 
changed to ensure that every bit of user input that is fed to SQL queries 
is either validated or escaped. Unfortunately, these changes came too late 
to be released with Mantis 0.17.3. They have been fixed in CVS, and will be 
corrected in 0.18.0.
Users who prefer security over using a tested version are encouraged to use 
the CVS version. 0.18.0 is currently being wrapped up, but the release may 
take a few weeks.

If an upgrade is not possible, Mantis 0.17.2 (and possibly lower) can be 
patched to secure the exploitable query:

   In account_update.php, insert the following lines somewhere in a PHP 
block before the SQL queries are executed:
     $f_username = addslashes($f_username);
     $f_email = addslashes($f_email);

Enabling magic_quotes_gpc in your PHP configuration will also prevent the 
problem from being exploitable.

   5. Detailed explanation

By modifying the username or the email of a Mantis account, it is possible 
to change any column of the Mantis user table (mantis_user_table by default).

This can be done by inserting quotes in the username or email and crafting 
the value in such a manner that a valid SQL query results.

For example:
   - The email can be set to: user@server', access_level=90, email='
   - The normal query is:
       UPDATE mantis_user_table
         SET username='$f_username', email='$f_email'
         WHERE id='$f_id'
   - With the specified value for the email field, this becomes:
       UPDATE mantis_user_table
         SET username='someusername', email='user@server', access_level=90, 
email=''
         WHERE id='$f_id'
   - This set the access_level column to a value of 90, the internal value 
for Administrator.

   6. Contact details

The latest version of Mantis is always available from:
     http://mantisbt.sourceforge.net/
The current version is 0.17.4a, which can be downloaded from
     http://mantisbt.sourceforge.net/download.php3

If you have any questions about this vulnerability, or wish to report 
another, you can contact the developers at:
     mailto:mantisbt-securityat_private
This is a private mailinglist, readable only by a few developers.

The latest version of this and other advisories can be found at:
     http://mantisbt.sourceforge.net/security.php3

Next message: Mike Bommarito: "Weak MySQL Default Configuration on Windows"
Previous message: Abraham Lincoln: "Kerio Mail Server Multiple Security Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 15:11:44 PDT