← Advisories

MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability

High

Advisory ID

ZSL-2010-4984

Release Date

15 December 2010

Vendor

MantisBT Group - http://www.mantisbt.org

Affected Version

<1.2.4

CVE

CVE-2010-4350

Tested On

Microsoft Windows XP Professional SP3 (English), Debian GNU/Linux (squeeze), Apache 2.2.14 (Win32), MySQL 5.1.41, PHP 5.3.1

Summary

MantisBT is a free popular web-based bugtracking system. It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver. MantisBT has been installed on Windows, Linux, Mac OS, OS/2, and others. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).

Description

Mantis Bug Tracker suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the "db_type" parameter (GET & POST) to upgrade_unattended.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

 --> library/adodb/adodb.inc.php

 ...

 4109:
 4110: $file = ADODB_DIR."/drivers/adodb-".$db.".inc.php";
 4111: @include_once($file);

 ...

Proof of Concept

mantis_lfi.txtTXT

Disclosure Timeline

13.12.2010Vulnerability discovered.

13.12.2010Initial contact with the vendor.

13.12.2010Vendor responds asking more details.

13.12.2010Sent PoC files to the vendor.

14.12.2010Vendor confirms the issue.

15.12.2010Vendor releases version 1.2.4 to address this issue (+Comment: Delete the "admin" directory after installation).

15.12.2010Coordinated public advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.mantisbt.org/bugs/view.php?id=12607

[2]http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.4

[3]http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=2641fdc60d2032ae1586338d6416e1eadabd7590

[4]http://www.mantisbt.org/blog/?p=123

[5]http://bugs.gentoo.org/show_bug.cgi?id=348761

[6]https://bugzilla.redhat.com/show_bug.cgi?id=663230

[7]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159

[8]https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482

[9]http://www.exploit-db.com/exploits/15736/

[10]http://www.exploit-db.com/ghdb/3651/

[11]http://secunia.com/advisories/42597/

[12]http://www.securityfocus.com/bid/45399

[13]http://securityreason.com/wlb_show/WLB-2010120069

[14]http://xforce.iss.net/xforce/xfdb/64071

[15]http://packetstormsecurity.org/files/96733

[16]http://osvdb.org/show/osvdb/70157

[17]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4350

[18]http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052730.html

[19]http://www.vupen.com/english/advisories/2011/0002

[20]http://lwn.net/Vulnerabilities/421455/

[21]http://www.nessus.org/plugins/index.php?view=single&id=51359

Changelog

15.12.2010Initial release

16.12.2010Added reference [13] and [14]

17.12.2010Added reference [15]

30.12.2010Added reference [16] and [17]

05.01.2011Added reference [18] and [19]

06.01.2011Added reference [20]

06.03.2011Added reference [21]