MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability

Title: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability
Advisory ID: ZSL-2010-4983
Type: Remote
Impact: Cross-Site Scripting, Exposure of System Information
Risk: (3/5)
Release Date: 15.12.2010
Summary
MantisBT is a free popular web-based bugtracking system. It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver. MantisBT has been installed on Windows, Linux, Mac OS, OS/2, and others. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).
Description
Mantis Bug Tracker suffers from a cross-site scripting and a path disclosure vulnerability. The XSS issue is triggered when input passed via the "db_type" parameter to the admin/upgrade_unattended.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The PD weakness is caused due to the application displaying the full installation path in an error report, when supplying an invalid "db_type" parameter to the admin/upgrade_unattended.php script.
Vendor
MantisBT Group - http://www.mantisbt.org
Affected Version
<1.2.4
Tested On
Microsoft Windows XP Professional SP3 (English)
Debian GNU/Linux (squeeze)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1
Vendor Status
[13.12.2010] Vulnerability discovered.
[13.12.2010] Initial contact with the vendor.
[13.12.2010] Vendor responds asking more details.
[13.12.2010] Sent PoC files to the vendor.
[14.12.2010] Vendor confirms the issue.
[15.12.2010] Vendor releases version 1.2.4 to address this issue.
[15.12.2010] Coordinated public advisory released.
PoC
mantis_xss_pd.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.mantisbt.org/bugs/view.php?id=12607
[2] http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.4
[3] http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=2641fdc60d2032ae1586338d6416e1eadabd7590
[4] http://www.mantisbt.org/blog/?p=123
[5] http://bugs.gentoo.org/show_bug.cgi?id=348761
[6] https://bugzilla.redhat.com/show_bug.cgi?id=663230
[7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159
[8] https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482
[9] http://www.exploit-db.com/exploits/15735/
[10] http://www.exploit-db.com/ghdb/3651/
[11] http://secunia.com/advisories/42597/
[12] http://www.securityfocus.com/bid/45399
[13] http://securityreason.com/wlb_show/WLB-2010120073
[14] http://xforce.iss.net/xforce/xfdb/64116
[15] http://packetstormsecurity.org/files/96722
[16] http://osvdb.org/show/osvdb/70156
[17] http://osvdb.org/show/osvdb/70155
[18] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4348
[19] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4349
[20] http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052730.html
[21] http://www.vupen.com/english/advisories/2011/0002
[22] http://lwn.net/Vulnerabilities/421455/
Changelog
[15.12.2010] - Initial release
[16.12.2010] - Added reference [13] and [14]
[16.12.2010] - Added reference [15]
[30.12.2010] - Added reference [16], [17], [18] and [19]
[05.01.2011] - Added reference [20] and [21]
[06.01.2011] - Added reference [22]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk