[BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4

[bugtraq () morph3us org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

 ---------------------------------------------------
| BuHa Security-Advisory #7     |    Feb 14th, 2006 |
 ---------------------------------------------------
| Vendor   | Mantis BT                              |
| URL      | http://www.mantisbt.org/               |
| Version  | <= Mantis 1.00rc4                      |
| Risk     | Moderate                               |
 ---------------------------------------------------

o Description:
=============

Mantis is a web-based bugtracking system. It is written in the PHP
scripting language and requires the MySQL database and a webserver.

Visit http://www.mantisbt.org/ for detailed information.

o SQL-Injection:
===============

> > /manage_user_page.php:
GET: <?sort=last_visit'>

The manipulated data of the sort parameter is saved into
"MANTIS_MANAGE_COOKIE" cookie. The value of the cookie is inserted
into a SQL query and everytime the page is loaded a MySQL database
error is displayed.

> > You have an error in your SQL syntax; check the manual that
> > corresponds to your MySQL server version for the right syntax
> > to use near '\"> ASC' at line 4 for the query:
> > SELECT *
> > FROM mantis_user_table
> > WHERE (1 = 1)
> > ORDER BY last_visit\' AS

Unexploitable SQL-Injection, temporary defacement.

o XSS:
=====

> > /view_all_set.php:
GET: <?type=1&handler_id=1&hide_status=[XSS]>
GET: <?type=1&handler_id=[XSS]>
GET: <?type=1&temporary=y&user_monitor=[XSS]>
GET: <?type=1&temporary=y&reporter_id=[XSS]>
GET: <?type=6&view_type=[XSS]>
GET: <?type=1&show_severity=[XSS]>
GET: <?type=1&show_category=[XSS]>
GET: <?type=1&show_status=[XSS]>

GET: <?type=1&show_resolution=[XSS]>
GET: <?type=1&show_build=[XSS]>
GET: <?type=1&show_profile=[XSS]>
GET: <?type=1&show_priority=[XSS]>

GET: <?type=1&highlight_changed=[XSS]>
GET: <?type=1&relationship_type=[XSS]>
GET: <?type=1&relationship_bug=[XSS]>

> > /manage_user_page.php:
GET: <?sort=[XSS]>

> > /view_filters_page.php:
GET: </view_filters_page.php?view_type=[XSS]>

> > /proj_doc_delete.php:
GET: <?file_id=1&title=[XSS]>

o Disclosure Timeline:
=====================

08 Oct 05 - Security flaws discovered.
17 Nov 05 - Vendor contacted.
15 Dec 05 - Vendor contacted again.
18 Dec 05 - Vendor confirmed vulnerabilities.
18 Dec 05 - Vendor released partly bugfixed version.
19 Dec 05 - Vendor contacted again.
03 Feb 06 - Vendor released bugfixed version.
14 Feb 06 - Public release.

o Solution:
==========

Upgrade to Mantis 1.0.0. [1]

o Credits:
=========

Thomas Waldegger <bugtraq () morph3us org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq () morph3us org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, nait, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt

[1] http://www.mantisbt.org/download.php

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw
Yw3XgTq5MxLHSGX7hExkDpQ=
=nRmi
-----END PGP SIGNATURE-----