Bugtraq mailing list archives
[BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4
From: bugtraq () morph3us org
Date: 15 Feb 2006 04:42:22 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #7 | Feb 14th, 2006 | --------------------------------------------------- | Vendor | Mantis BT | | URL | http://www.mantisbt.org/ | | Version | <= Mantis 1.00rc4 | | Risk | Moderate | --------------------------------------------------- o Description: ============= Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Visit http://www.mantisbt.org/ for detailed information. o SQL-Injection: ===============
/manage_user_page.php:
GET: <?sort=last_visit'> The manipulated data of the sort parameter is saved into "MANTIS_MANAGE_COOKIE" cookie. The value of the cookie is inserted into a SQL query and everytime the page is loaded a MySQL database error is displayed.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"> ASC' at line 4 for the query: SELECT * FROM mantis_user_table WHERE (1 = 1) ORDER BY last_visit\' AS
Unexploitable SQL-Injection, temporary defacement. o XSS: =====
/view_all_set.php:
GET: <?type=1&handler_id=1&hide_status=[XSS]> GET: <?type=1&handler_id=[XSS]> GET: <?type=1&temporary=y&user_monitor=[XSS]> GET: <?type=1&temporary=y&reporter_id=[XSS]> GET: <?type=6&view_type=[XSS]> GET: <?type=1&show_severity=[XSS]> GET: <?type=1&show_category=[XSS]> GET: <?type=1&show_status=[XSS]> GET: <?type=1&show_resolution=[XSS]> GET: <?type=1&show_build=[XSS]> GET: <?type=1&show_profile=[XSS]> GET: <?type=1&show_priority=[XSS]> GET: <?type=1&highlight_changed=[XSS]> GET: <?type=1&relationship_type=[XSS]> GET: <?type=1&relationship_bug=[XSS]>
/manage_user_page.php:
GET: <?sort=[XSS]>
/view_filters_page.php:
GET: </view_filters_page.php?view_type=[XSS]>
/proj_doc_delete.php:
GET: <?file_id=1&title=[XSS]> o Disclosure Timeline: ===================== 08 Oct 05 - Security flaws discovered. 17 Nov 05 - Vendor contacted. 15 Dec 05 - Vendor contacted again. 18 Dec 05 - Vendor confirmed vulnerabilities. 18 Dec 05 - Vendor released partly bugfixed version. 19 Dec 05 - Vendor contacted again. 03 Feb 06 - Vendor released bugfixed version. 14 Feb 06 - Public release. o Solution: ========== Upgrade to Mantis 1.0.0. [1] o Credits: ========= Thomas Waldegger <bugtraq () morph3us org> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq () morph3us org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt [1] http://www.mantisbt.org/download.php -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw Yw3XgTq5MxLHSGX7hExkDpQ= =nRmi -----END PGP SIGNATURE-----
Current thread:
- [BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4 bugtraq (Feb 15)