Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 103308 - www-apps/mantisbt: SQL injection and XSS (CAN-2005-255{6-7})
Summary: www-apps/mantisbt: SQL injection and XSS (CAN-2005-255{6-7})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-22 00:53 UTC by Thierry Carrez (RETIRED)
Modified: 2005-11-29 06:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
mantis_0.19.2-4.diff (mantis_0.19.2-4.diff,3.68 KB, patch)
2005-09-11 16:34 UTC, SpanKY
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-08-22 00:53:23 UTC
Two security related problems have been discovered in Mantis, a
web-based bug tracking system.  The Common Vulnerabilities and
Exposures project identifies the following problems:

CAN-2005-2556

    A remote attacker could insert arbitrary SQL code into SQL
    statements.

CAN-2005-2557

    A remote attacker was able to insert arbitrary HTML code bug
    reports, hence, cross site scripting.
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-08-22 11:17:07 UTC
Total of 4 bugs (two have been fixed in 1.0.0rc1):
http://secunia.com/advisories/16506/
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-08-29 07:38:37 UTC
Apparently the Mantis team won't fix it quickly. Probably better to derive a
patch from the Debian patchset ? Problem being they are based on 0.19.2 :

http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-4.diff.gz
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2.orig.tar.gz

Pulling in web-apps for inputs.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-09-07 07:20:14 UTC
Hmm, maybe we should mask it.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-08 23:27:12 UTC
No response from maintainer -> I vote for a mask. Vapier/Solar please do the 
magic if you agree.  
Comment 5 SpanKY gentoo-dev 2005-09-09 23:35:25 UTC
if it's fixed in debian why dont we just add their patchset to our SRC_URI and
utilize it ?  i could do it up ...
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-10 01:01:29 UTC
Mike you didn't agree, please to your magic then:-) 
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-09-11 03:06:15 UTC
vapier: it should be possible to use the Debian patchset yes (probably by
bumping to the same version they use). It's because the web-apps team apparently
wasn't too enthousiast about it that we suggested masking. If yo ufeel like it
please do it, otherwise we'll mask.
Comment 8 SpanKY gentoo-dev 2005-09-11 16:34:06 UTC
Created attachment 68207 [details, diff]
mantis_0.19.2-4.diff

well we have 1.0.0rc1 in portage which resolves the first two issues, but the
2nd two arent obvious as to how they are fixed in the Debian patchset (if they
are)

attached is the Debian patchset (#4) for 0.19.2 with all the extra cruft
removed

unless someone else feels like taking it further, i guess it's time we mask ;)
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 03:13:50 UTC
web-apps: last chance before masking
vapier: please go ahead asap :)
Comment 10 Renat Lumpau (RETIRED) gentoo-dev 2005-09-14 03:15:29 UTC
Eh, they _just_ released 1.0.0_rc2, we should check if the security issues were
fixed before masking. I'll try to take a look this afternoon.
Comment 11 Renat Lumpau (RETIRED) gentoo-dev 2005-09-14 04:24:47 UTC
1.0.0_rc2 and a patched 0.19.2 are in the tree. I can't tell from the ChangeLog
( http://www.mantisbt.org/changelog.php ) if the vulnerabilities have been
fixed. Thoughts?
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 04:55:51 UTC
RC1 fixes :
- 0005751: [security] Javascript XSS vulnerability (thraxisp)
- 0005959: [security] Cross Site Scripting Vulnerabilty in the
mantis/view_all_set.php Script (thraxisp)

RC2 fixes :
- 0006097: [security] user ID is cached indefinately (thraxisp)
- 0006189: [security] List of users (in filter) visible for unauthorized users.
(thraxisp)

According to Secunia/Debian there are four things :

http://bugs.mantisbt.org/view.php?id=5751
http://bugs.mantisbt.org/view.php?id=5956 [ access denied ]
http://bugs.mantisbt.org/view.php?id=5959 [ access denied ]
http://bugs.mantisbt.org/view.php?id=6002 [ access denied ]

1) Input included in bug reports is not properly sanitised before being deleted.
This can be exploited to execute arbitrary HTML and script code in an
administrative user's browser session in context of a vulnerable site when a
malicious bug report is deleted. --> Mantis bug 5751, FIXED in RC1

2) Unspecified input passed to the "mantis/view_all_set.php" script is not
properly sanitised before being returned to users. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context of
a vulnerable site. --> FIXED in RC1, Mantis bug 5959

3) Unspecified input passed to the "mantis/view_all_bug_page.php" script is not
properly sanitised before being returned to users. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context of
  vulnerable site. --> ?

view_all_bug_page.php wasn't changed in the last 7 months so I guess it isn't fixed.

4) Unspecified input is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
--> ?

since neither mantisbug 5956 or mantisbug 6002 appear in the changelog, I guess
this one isn't fixed either...

Since the last bug is about SQL injection, I call for masking.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 04:57:24 UTC
Renat: does your patched-0.19.2 mirror all Debian patches ? In which case it
probably fixes all the things and we can keep it.
Comment 14 Renat Lumpau (RETIRED) gentoo-dev 2005-09-14 14:13:28 UTC
I applied vapier's patches, so I guess we can keep 0.19.2. FYI - 0.18.3 is
stable on ppc.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-09-15 01:01:36 UTC
ppc: please test and mark 0.19.2 stable
Comment 16 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-15 10:25:54 UTC
Stable on ppc.
Comment 17 Renat Lumpau (RETIRED) gentoo-dev 2005-09-15 16:25:14 UTC
Ok, 0.19.2 is all set, 1.0.0_rc2 has been masked.
Comment 18 Patrizio Bassi 2005-09-16 01:10:47 UTC
i know it's a different problem...but 
the actual ebuild fails: 
 
>>> Install mantisbt-0.19.2 into /var/tmp/portage/mantisbt-0.19.2/image/ category 
www-apps 
dodoc: doc/CREDITS does not exist 
dodoc: doc/CUSTOMIZATION does not exist 
dodoc: doc/ChangeLog does not exist 
dodoc: doc/LICENSE does not exist 
dodoc: doc/README does not exist 
dodoc: doc/TROUBLESHOOTING does not exist 
dodoc: doc/UPGRADING does not exist 
cp: impossibile fare stat di `*.php': No such file or directory 
cp: impossibile fare stat di `admin': No such file or directory 
cp: impossibile fare stat di `core': No such file or directory 
cp: impossibile fare stat di `css': No such file or directory 
cp: impossibile fare stat di `graphs': No such file or directory 
cp: impossibile fare stat di `images': No such file or directory 
cp: impossibile fare stat di `lang': No such file or directory 
cp: impossibile fare stat di `config_inc.php.sample': No such file or directory 
 * ebuild fault: file '/usr/share/webapps/mantisbt/0.19.2/htdocs/config_inc.php' not found 
 * Please report this as a bug at http://bugs.gentoo.org/ 
 
!!! ERROR: www-apps/mantisbt-0.19.2 failed. 
!!! Function webapp_checkfileexists, Line 57, Exitcode 0 
!!! ebuild fault: file '/usr/share/webapps/mantisbt/0.19.2/htdocs/config_inc.php' not found 
!!! If you need support, post the topmost build error, NOT this status message. 
 
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 01:18:04 UTC
Ready for GLSA vote.
Renat: could you have a look at comment #18 ?
Comment 20 Renat Lumpau (RETIRED) gentoo-dev 2005-09-16 03:59:22 UTC
${S} was incorrect. Fixed in CVS.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 06:12:43 UTC
Voting yes
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-19 00:29:46 UTC
Let's have a GLSA, I'm voting YES. 
Comment 23 Vincent ETIENNE 2005-09-19 02:32:04 UTC
After down grading to 0.19.2, i was unable to log to mantis due to a missing 
field in mantis_user_table (lost_password_in_progress_count). Adding this field 
to the table seems to cure the pb.
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-09-24 03:48:26 UTC
GLSA 200509-16
Comment 25 Philippe Chaintreuil 2005-11-29 06:26:54 UTC
1.0.0rc3 Has also addressed this.
http://sourceforge.net/project/shownotes.php?release_id=366796&group_id=14963