[Secure-testing-team] Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability

Moritz Muehlenhoff jmm at inutil.org
Thu Oct 27 13:49:50 UTC 2005 

Martin Schulze wrote:
> > Thijs Kinkhorst wrote:
> > > > Another security problem has been found in mantis. Insufficient
> > > > input sanitising of the t_core_path parameter may be exploited to perform
> > > > arbitrary file inclusion. Please see
> > > > http://secunia.com/secunia_research/2005-46/advisory/ for details.
> > > 
> > > Hello Moritz,
> > > 
> > > Thank you for your report. I've prepared an NMU for all the recent
> > > security problems in Mantis which is now awaiting review by my sponsor.
> > 
> > I assume you've prepared packages of 0.19.3?
> > This would address the SQL injection issue and the other XSS in view_all_set
> > as well, which are both not yet in the BTS.
> > 
> > The latest issues have been assigned CVE-2005-333[6789], BTW.
> 
> Do you have an idea which of them affect woody/sarge?

All affect Sarge. 0.19.2 -> 0.19.3 only contains the security fixes plus a minor
non-security bug fix, so it should be rather easy to extract the patches.
I've attached a white-space-cleaned interdiff. More could be stripped, but
I'm not entirely sure which code is related to
" [bugtracker] System warning in login_page.php when no new installation (vboctor)"
(this is the only non-security change listed, but I'm not sure which one it is)

Woody seems unaffected, but 3337 should be double-checked in a real-life
environment.

CVE-2005-3339: (mantis bug 6097)
 The vulnerable code is not present.

CVE-2005-3338: (mantis bug 5247)
 The vulnerable code isn't present, either.

CVE-2005-3337: (mantis bugs 5959, 5751)
 Access to the bug description of 5959 is restricted, but view_all_set.php is not
 present in Woody's version, so it shouldn't be vulnerable.
 The XSS from 5751 can only be triggered through code from bug_actiongroup_page.php,
 which is not present in Woody, but might have an equivalent in 0.17. I couldn't
 find it with grep, but it should again be tested in a production mantis environment,
 as the bug contains a demo page with the XSS.

CVE-2005-3336: (mantis bug 6275)
 This one is denied as well, but judging from the interdiff the injection would
 take place in lost_pwd.php and that code isn't present in 0.17

CVE-2005-3335: (mantis bug 6273)
 Denied again, but with the information from the original Secunia advisory I'm sure
 Woody isn't affected either, as the vulnerable functionality isn't present in 0.17.

Cheers,
        Moritz
-------------- next part --------------
diff -Nawur mantis-0.19.2/bug_actiongroup_page.php mantis-0.19.3/bug_actiongroup_page.php
--- mantis-0.19.2/bug_actiongroup_page.php	2004-11-22 14:36:50.000000000 +0100
+++ mantis-0.19.3/bug_actiongroup_page.php	2005-09-25 15:33:48.000000000 +0200
@@ -114,7 +114,7 @@
 foreach( $f_bug_arr as $t_bug_id ) { 
 	$t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
 	$t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td> </tr>\n"
-		, get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' ) 
+		, get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), string_attribute( bug_get_field( $t_bug_id, 'summary' ) )
     );
 	echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '" />' . "\n";
 }
diff -Nawur mantis-0.19.2/bug_sponsorship_list_view_inc.php mantis-0.19.3/bug_sponsorship_list_view_inc.php
--- mantis-0.19.2/bug_sponsorship_list_view_inc.php	2004-07-21 14:38:36.000000000 +0200
+++ mantis-0.19.3/bug_sponsorship_list_view_inc.php	2005-09-22 12:53:56.000000000 +0200
@@ -6,13 +6,15 @@
 	# See the files README and LICENSE for details
 
 	# --------------------------------------------------------
-	# $Id: bug_sponsorship_list_view_inc.php,v 1.10 2004/07/21 12:38:36 vboctor Exp $
+	# $Id: bug_sponsorship_list_view_inc.php,v 1.10.8.1 2005/09/22 10:53:57 vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
 	# This include file prints out the list of users sponsoring the current
 	# bug.	$f_bug_id must be set to the bug id
 
+	$t_core_path = config_get( 'core_path' );
+
 	require_once( $t_core_path . 'sponsorship_api.php' );
 	require_once( $t_core_path . 'collapse_api.php' );
 
diff -Nawur mantis-0.19.2/core/authentication_api.php mantis-0.19.3/core/authentication_api.php
--- mantis-0.19.2/core/authentication_api.php	2004-08-14 17:26:20.000000000 +0200
+++ mantis-0.19.3/core/authentication_api.php	2005-09-25 15:27:24.000000000 +0200
@@ -135,7 +135,7 @@
 	# --------------------
 	# Allows scripts to login using a login name or ( login name + password )
 	function auth_attempt_script_login( $p_username, $p_password = null ) {
-		global $g_script_login_cookie;
+		global $g_script_login_cookie, $g_cache_current_user_id;
 
 		$t_user_id = user_get_id_by_name( $p_username );
 
@@ -161,6 +161,9 @@
 		# set the cookies
 		$g_script_login_cookie = $t_user['cookie_string'];
 
+		# cache user id for future reference
+		$g_cache_current_user_id = $t_user_id;
+
 		return true;
 	}
 
@@ -341,19 +344,26 @@
 
 	# --------------------
 	# Return the current user login cookie string,
-	# if no user is logged in and anonymous login is enabled, returns cookie for anonymous user
+	# note that the cookie cached by a script login superceeds the cookie provided by
+	#  the browser. This shouldn't normally matter, except that the password verification uses
+	#  this routine to bypass the normal authentication, and can get confused when a normal user
+	#  logs in, then runs the verify script. the act of fetching config variables may get the wrong
+	#  userid.	# if no user is logged in and anonymous login is enabled, returns cookie for anonymous user
 	# otherwise returns '' (an empty string)
 	function auth_get_current_user_cookie() {
 		global $g_script_login_cookie;
 
+		# if logging in via a script, return that cookie
+		if ( $g_script_login_cookie !== null ) {
+			return $g_script_login_cookie;
+		}
+
+		# fetch user cookie
 		$t_cookie_name = config_get( 'string_cookie' );
 		$t_cookie = gpc_get_cookie( $t_cookie_name, '' );
 
 		# if cookie not found, and anonymous login enabled, use cookie of anonymous account.
 		if ( is_blank( $t_cookie ) ) {
-			if ( $g_script_login_cookie !== null ) {
-				return $g_script_login_cookie;
-			} else {
 				if ( ON == config_get( 'allow_anonymous_login' ) ) {
 					$query = sprintf('SELECT id, cookie_string FROM %s WHERE username = "%s"',
 							config_get( 'mantis_user_table' ), config_get( 'anonymous_account' ) );
@@ -365,7 +375,6 @@
 					}
 				}
 			}
-		}
 
 		return $t_cookie;
 	}
diff -Nawur mantis-0.19.2/core/current_user_api.php mantis-0.19.3/core/current_user_api.php
--- mantis-0.19.2/core/current_user_api.php	2004-11-19 13:29:00.000000000 +0100
+++ mantis-0.19.3/core/current_user_api.php	2005-10-11 14:06:32.000000000 +0200
@@ -78,7 +78,8 @@
 	# --------------------
 	# Return true if the currently user is the anonymous user
 	function current_user_is_anonymous() {
-		return current_user_get_field( 'username' ) == config_get( 'anonymous_account' );
+		$t_anonymous_account = config_get( 'anonymous_account' );
+		return ( !is_blank( $t_anonymous_account ) && ( current_user_get_field( 'username' ) == $t_anonymous_account ) );
 	}
 	# --------------------
 	# Trigger an ERROR if the current user account is protected
diff -Nawur mantis-0.19.2/core/email_api.php mantis-0.19.3/core/email_api.php
--- mantis-0.19.2/core/email_api.php	2004-10-05 23:10:14.000000000 +0200
+++ mantis-0.19.3/core/email_api.php	2005-09-25 15:50:28.000000000 +0200
@@ -768,20 +768,28 @@
 			$p_recipients = array( $p_recipients );
 		}
 
-		$result = array();
-		foreach ( $p_recipients as $t_recipient ) {
-
-			lang_push( user_pref_get_language( $t_recipient, bug_get_field( $p_bug_id, 'project_id' ) ) );
+		$t_project_id = bug_get_field( $p_bug_id, 'project_id' );
+		$t_sender_id = auth_get_current_user_id();
+		$t_sender = user_get_name( $t_sender_id );
 
 			$t_subject = email_build_subject( $p_bug_id );
-			$t_sender = current_user_get_field( 'username' ) . ' <' .
-						current_user_get_field( 'email' ) . '>' ;
 			$t_date = date( config_get( 'normal_date_format' ) );
-			$t_header = "\n" . lang_get( 'on' ) . " $t_date, $t_sender " .
-						lang_get( 'sent_you_this_reminder_about' ) . ":\n\n";
+
+		$result = array();
+		foreach ( $p_recipients as $t_recipient ) {
+			lang_push( user_pref_get_language( $t_recipient, $t_project_id ) );
 
 			$t_email = user_get_email( $t_recipient );
 			$result[] = user_get_name( $t_recipient );
+
+			if ( access_has_project_level( config_get( 'show_user_email_threshold' ), $t_project_id, $t_recipient ) ) {
+				$t_sender_email .= ' <' . current_user_get_field( 'email' ) . '>' ;
+			} else {
+				$t_sender_email = '';
+			}
+			$t_header = "\n" . lang_get( 'on' ) . " $t_date, $t_sender $t_sender_email " .
+						lang_get( 'sent_you_this_reminder_about' ) . ": \n\n";
+
 			$t_contents = $t_header .
 							string_get_bug_view_url_with_fqdn( $p_bug_id, $t_recipient ) .
 							"\n\n$p_message";
diff -Nawur mantis-0.19.2/core/filter_api.php mantis-0.19.3/core/filter_api.php
--- mantis-0.19.2/core/filter_api.php	2004-11-19 14:06:30.000000000 +0100
+++ mantis-0.19.3/core/filter_api.php	2005-09-25 15:39:50.000000000 +0200
@@ -753,7 +753,7 @@
 ?> 
 
 		<br />
-		<form method="post" name="filters" action="<?php PRINT $t_action; ?>">
+		<form method="post" name="filters" action="<?php PRINT htmlentities($t_action); ?>">
 		<input type="hidden" name="type" value="5" />
 		<?php
 			if ( $p_for_screen == false ) {
@@ -761,10 +761,10 @@
 				PRINT '<input type="hidden" name="offset" value="0" />';
 			}
 		?>
-		<input type="hidden" name="sort" value="<?php PRINT $t_sort ?>" />
-		<input type="hidden" name="dir" value="<?php PRINT $t_dir ?>" />
-		<input type="hidden" name="page_number" value="<?php PRINT $p_page_number ?>" />
-		<input type="hidden" name="view_type" value="<?php PRINT $t_view_type ?>" />
+		<input type="hidden" name="sort" value="<?php PRINT htmlentities($t_sort) ?>" />
+		<input type="hidden" name="dir" value="<?php PRINT htmlentities($t_dir) ?>" />
+		<input type="hidden" name="page_number" value="<?php PRINT htmlentities($p_page_number) ?>" />
+		<input type="hidden" name="view_type" value="<?php PRINT htmlentities($t_view_type) ?>" />
 		<table class="width100" cellspacing="1">
 		
 		<?php
diff -Nawur mantis-0.19.2/lost_pwd.php mantis-0.19.3/lost_pwd.php
--- mantis-0.19.2/lost_pwd.php	2004-10-25 21:45:04.000000000 +0200
+++ mantis-0.19.3/lost_pwd.php	2005-09-22 13:11:34.000000000 +0200
@@ -27,9 +27,12 @@
 	$f_email = email_append_domain( $f_email );
 	email_ensure_valid( $f_email );
 
+	$c_username = db_prepare_string( $f_username );
+	$c_email = db_prepare_string( $f_email );
+
 	$t_user_table = config_get( 'mantis_user_table' );
 
-	$query = 'SELECT id FROM ' . $t_user_table . ' WHERE username = \'' . $f_username . '\' and email = \'' . $f_email . '\'';
+	$query = 'SELECT id FROM ' . $t_user_table . ' WHERE username = \'' . $c_username . '\' and email = \'' . $c_email . '\'';
 	$result = db_query( $query );
 
 	if ( 0 == db_num_rows( $result ) ) {

More information about the Secure-testing-team mailing list