Appendix
Security
Issues with no security advisories
2002-01 SQL poisoning vulnerability in Mantis
2002-02 Limiting output to reporters can be bypassed
2002-03 Bug listings of private projects can be viewed
2002-04 Arbitrary code execution vulnerability in Mantis
2002-05 Arbitrary code execution and file reading
2002-06 Private bugs accessible in Mantis
2002-07 Bugs in private projects listed on 'View Bugs'
Partner Links
|
2004-01 Various vulnerabilities in Mantis Last Modified: December 23, 2006 04:12AM |
| (Mantis 0.17.0 till 0.18.2) |
|
Description
2004-01 Various vulnerabilities in Mantis 0. Table of Contents 1. Introduction 2. Summary / Impact analysis 3. Affected versions 4. Workaround / Solution 5. Credit 6. Contact details 1. Introduction Mantis is an Open Source web-based bugtracking system, written in PHP, which uses the MySQL database server. It is being actively developed by a small group of developers, and is considered to be in the beta stage. 2. Summary / Impact analysis When configured, Mantis allows users to attach files to both bugs and projects. The script that allows users to download these files contained two vulnerabilities. First of all, the script did not check whether the user was allowed to view the attached files. This made it possible for anyone with an account on the installation (or through anonymous access) to view any file uploaded to the bug tracker. Secondly, the script did not properly initialise a variable used to build a SQL query. This made it possible for anyone with an account on the installation (or again with anonymous access) to execute an arbitrary query, under the permissions of the Mantis database user. A malicious user could elevate his access to the bug tracker, add, modify or delete any information in the bug tracker or (on misconfigured systems) modify or access information in other databases. However, only installations with 'register_globals' enabled in PHP are vulnerable to this attack. This option has been disabled by default since PHP 4.2.0. 3. Affected versions The following versions are affected: Mantis 0.18.2 Mantis 0.18.1 Mantis 0.18.0 (including all alpha versions) Mantis 0.17.5 Mantis 0.17.4a Mantis 0.17.4 Mantis 0.17.3 Mantis 0.17.2 Mantis 0.17.1 Mantis 0.17.0 4. Workaround / Solution Mantis 0.18.3 fixes this problem. Users are suggested to upgrade to this version when possible. The first problem (access to files) can be prevented by not attaching any files to bugs or projects, or possibly by replacing file_download.php with version from Mantis 0.18.3. The second problem can be prevented by disabling register_globals in PHP (for example using a php.ini file in the Mantis directory). Mantis will work fine with this option disabled. 5. Credit These vulnerabilities were discovered by Victor Boctor, a member of the Mantis development team. 7. Contact details The latest version of Mantis is always available from: http://www.mantisbt.org/ The current version is 1.0.6, which can be downloaded from http://www.mantisbt.org/download.php If you have any questions about this vulnerability, or wish to report another, you can contact report it as a private issue on: http://www.mantisbt.org/bugs/ The latest version of this and other advisories can be found at: http://www.mantisbt.org/manual/ |
| User Contributed Notes 2004-01 Various vulnerabilities in Mantis |
|
||
| There are no user contributed notes for this page. | |||
| |||