From jlatour@calaquendi.net Tue Aug 20 01:57:20 2002 From: Jeroen Latour X-Sender: To: Bugtraq Date: Mon, 19 Aug 2002 08:47:27 +0200 Subject: [Mantis Advisory/2002-01] SQL poisoning vulnerability in Mantis [Mantis Advisory/2002-01] SQL poisoning vulnerability in Mantis 0. Table of Contents 1. Introduction 2. Summary / Impact analysis 3. Affected versions 4. Workaround / Solution 5. Detailed explanation 6. Contact details 1. Introduction Mantis is an Open Source web-based bugtracking system, written in PHP, which uses the MySQL database server. It is being actively developed by a small group of developers, and is considered to be in the beta stage. In response to the increased number of users and to the increasing number of discovered security vulnerabilities, the Mantis team has decided to start releasing advisories for all vulnerabilities in versions higher than 0.17.0. This is the first in a series of advisories which cover the previously discovered vulnerabilities in greater detail. 2. Summary / Impact analysis Older versions of Mantis do not check all user input, especially if they do not come directly from form fields. This opens up a wide variety of SQL poisoning vulnerabilities on systems without magic_quotes_gpc enabled. Most of these vulnerabilities are only exploitable in a limited manner, since it is no longer possible to execute multiple queries using one call to mysql_query(). There is one query which can be tricked into changing an account's access level, which means that a malicious user, with an account on the Mantis installation, can make himself (m/f) an administrator of that Mantis installation. This particular vulnerability has been fixed in version 0.17.3. Note: Other vulnerabilities, caused by the same lack of input checking, may exist! 3. Affected versions The following versions are known to be affected: Mantis 0.17.2 The following versions are known to be unaffected: Mantis 0.17.4a (*) Mantis 0.17.4 (*) Mantis 0.17.3 (*) The following versions are presumed to be affected: All versions below Mantis 0.17.2 * = But read the note in section 2. 4. Workaround / Solution Mantis 0.17.3 fixes the exploitable query mentioned in section 2. All users are recommended to upgrade to the latest version, currently 0.17.4. Since this vulnerability was discovered, coding guidelines have been changed to ensure that every bit of user input that is fed to SQL queries is either validated or escaped. Unfortunately, these changes came too late to be released with Mantis 0.17.3. They have been fixed in CVS, and will be corrected in 0.18.0. Users who prefer security over using a tested version are encouraged to use the CVS version. 0.18.0 is currently being wrapped up, but the release may take a few weeks. If an upgrade is not possible, Mantis 0.17.2 (and possibly lower) can be patched to secure the exploitable query: In account_update.php, insert the following lines somewhere in a PHP block before the SQL queries are executed: $f_username = addslashes($f_username); $f_email = addslashes($f_email); Enabling magic_quotes_gpc in your PHP configuration will also prevent the problem from being exploitable. 5. Detailed explanation By modifying the username or the email of a Mantis account, it is possible to change any column of the Mantis user table (mantis_user_table by default). This can be done by inserting quotes in the username or email and crafting the value in such a manner that a valid SQL query results. For example: - The email can be set to: user@server', access_level=90, email=' - The normal query is: UPDATE mantis_user_table SET username='$f_username', email='$f_email' WHERE id='$f_id' - With the specified value for the email field, this becomes: UPDATE mantis_user_table SET username='someusername', email='user@server', access_level=90, email='' WHERE id='$f_id' - This set the access_level column to a value of 90, the internal value for Administrator. 6. Contact details The latest version of Mantis is always available from: http://mantisbt.sourceforge.net/ The current version is 0.17.4a, which can be downloaded from http://mantisbt.sourceforge.net/download.php3 If you have any questions about this vulnerability, or wish to report another, you can contact the developers at: mailto:mantisbt-security@lists.sourceforge.net This is a private mailinglist, readable only by a few developers. The latest version of this and other advisories can be found at: http://mantisbt.sourceforge.net/security.php3