← Advisories

MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability

Medium
Advisory ID
ZSL-2010-4983
Release Date
15 December 2010
Vendor
MantisBT Group - http://www.mantisbt.org
Affected Version
<1.2.4
CVE
CVE-2010-4348, CVE-2010-4349
Tested On
Microsoft Windows XP Professional SP3 (English), Debian GNU/Linux (squeeze), Apache 2.2.14 (Win32), MySQL 5.1.41, PHP 5.3.1
Summary

MantisBT is a free popular web-based bugtracking system. It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver. MantisBT has been installed on Windows, Linux, Mac OS, OS/2, and others. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).

Description

Mantis Bug Tracker suffers from a cross-site scripting and a path disclosure vulnerability. The XSS issue is triggered when input passed via the "db_type" parameter to the admin/upgrade_unattended.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The PD weakness is caused due to the application displaying the full installation path in an error report, when supplying an invalid "db_type" parameter to the admin/upgrade_unattended.php script.

Proof of Concept
mantis_xss_pd.txtTXT
Disclosure Timeline
13.12.2010Vulnerability discovered.
13.12.2010Initial contact with the vendor.
13.12.2010Vendor responds asking more details.
13.12.2010Sent PoC files to the vendor.
14.12.2010Vendor confirms the issue.
15.12.2010Vendor releases version 1.2.4 to address this issue.
15.12.2010Coordinated public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.mantisbt.org/bugs/view.php?id=12607
[2]http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.4
[3]http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=2641fdc60d2032ae1586338d6416e1eadabd7590
[4]http://www.mantisbt.org/blog/?p=123
[5]http://bugs.gentoo.org/show_bug.cgi?id=348761
[6]https://bugzilla.redhat.com/show_bug.cgi?id=663230
[7]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159
[8]https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482
[9]http://www.exploit-db.com/exploits/15735/
[10]http://www.exploit-db.com/ghdb/3651/
[11]http://secunia.com/advisories/42597/
[12]http://www.securityfocus.com/bid/45399
[13]http://securityreason.com/wlb_show/WLB-2010120073
[14]http://xforce.iss.net/xforce/xfdb/64116
[15]http://packetstormsecurity.org/files/96722
[16]http://osvdb.org/show/osvdb/70156
[17]http://osvdb.org/show/osvdb/70155
[18]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4348
[19]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4349
[20]http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052730.html
[21]http://www.vupen.com/english/advisories/2011/0002
[22]http://lwn.net/Vulnerabilities/421455/
Changelog
15.12.2010Initial release
16.12.2010Added reference [13] and [14]
16.12.2010Added reference [15]
30.12.2010Added reference [16], [17], [18] and [19]
05.01.2011Added reference [20] and [21]
06.01.2011Added reference [22]