[Secure-testing-team] Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability

Moritz Muehlenhoff jmm at inutil.org
Mon Oct 31 16:22:26 UTC 2005 

Thijs Kinkhorst wrote:
> On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
> > The included patches look fine and correlate to what I extracted from the
> >  interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?
> >
> > The mantis bug is non-public, but according to the description it's
> > a cross-site-scripting vulnerability in mantis/view_all_set.php
> >
> > They claim to have fixed it in 0.19.3 as well, but the interdiff doesn't
> > show anything. So CVE-2005-3337 either doesn't apply to 0.19.x and the
> > changelog was a mistake or the fix is missing in 0.19.3 or the fix is very
> > non-obvious. But it should be checked back with upstream.
> 
> According to the changelog, this was already fixed in Debian package
> 0.19.2-3 uploaded in September. Since this was uploaded by the security
> team, can we assume that this was double-checked to be fixed...?

It's hard to tell, whether it's the same issue as #5959 is non-public, but at
least there are two different CVE mappings. (CVE-2005-2557 and CVE-2005-3337).
But it might very well be that the CVE description is wrong, as all these mantis
issues are really confusing.

So #5959 probably refers to this hunk from the interdiff from the latest mantis
DSA. (I'm not 100% sure as #6002 is non-public as well and I don't know the
mantis code in detail):

--- mantis-0.19.2.orig/bug_actiongroup_page.php
+++ mantis-0.19.2/bug_actiongroup_page.php
@@ -114,7 +114,7 @@
 foreach( $f_bug_arr as $t_bug_id ) {
        $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
        $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td> </tr>\n"
-               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' )
+               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), htmlentities(bug_get_field( $t_bug_id, 'summary' ))
     );
        echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '" />' . "\n";
 }

This would mean that they didn't pull over this security fix into 0.19.3 and in fact it
is unfixed in sid's 0.19.3 package as well.

The other XSS issues from the DSA are fixed in the sid version.

This hunk from the mantis DSA (#5956 and again non-public, CVE-2005-2556) is also unfixed
in sid (or has an alternate fix been applied?)

diff -u mantis-0.19.2/core/database_api.php mantis-0.19.2/core/database_api.php
--- mantis-0.19.2/core/database_api.php
+++ mantis-0.19.2/core/database_api.php
@@ -6,9 +6,16 @@

+       #
+       # Patch for #0005956: Database system scanner via variable poisoning
+       #
+
+       if (isset($_REQUEST["g_db_type"]))
+               die("");
+
        ### Database ###

Cheers,
        Moritz

More information about the Secure-testing-team mailing list