View Issue Details

IDProjectCategoryView StatusLast Update
0023146mantisbtsecuritypublic2017-09-03 18:41
Reporteriamsecurity Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.0.0-beta.1 
Target Version2.5.2Fixed in Version2.5.2 
Summary0023146: CVE-2017-12061: XSS in /admin/install.php script
Description

Some variables like $f_database, $f_db_username and $f_admin_username are under user control and don't sanitize well when displayed in error messages.

/admin/install.php:
202: $f_database_name = gpc_get( 'database_name', config_get( 'database_name', 'bugtracker' ) );
203: $f_db_username = gpc_get( 'db_username', config_get( 'db_username', '' ) );
...
216: $f_admin_username = gpc_get( 'admin_username', '' );
...
437: $g_db = ADONewConnection( $f_db_type );
438: $t_result = @$g_db->Connect( $f_hostname, $f_db_username, $f_db_password, $f_database_name );
...
444: print_test_result( BAD, false, 'Database user doesn\'t have access to the database ( ' . db_error_msg() . ' )' );

Because "admin" folder is accessed by anyone and not moved or denied after successfully Mantis installation many servers have that issue.

Steps To Reproduce

Browse to URLs:

http://mantis.server/admin/install.php?install=3&database_name=%3Ch1%3EXSS&admin_username=%3Ch1%3EXSS
or
http://mantis.server//admin/install.php?install=3&database_name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&admin_username=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

TagsNo tags attached.
Attached Files
mantisbt-xss.jpg (70,776 bytes)   
mantisbt-xss.jpg (70,776 bytes)   

Relationships

parent of 0023175 closeddregad CVE-2017-12061: XSS in /admin/install.php script 

Activities

atrol

atrol

2017-07-25 17:11

developer   ~0057328

I confirm the issues in general, but I am wondering which browser you are using.
We use CSP headers as an additional way to prevent such kind of XSS.
I tried latest versions of Firefox, Chrome and Safari and was not able to reproduce the issue.
Will also try IE and Edge tomorrow.

vboctor

vboctor

2017-07-28 01:19

manager   ~0057347

The admin folder should be deleted as soon as MantisBT is installed. We should fix this issue, but having admin folder available after installation probably has other security issues.

dregad

dregad

2017-07-31 19:07

developer   ~0057365

I am requesting a CVE ID to be assigned for this issue.

@iamsecurity please let us know how you would like to be credited for the finding

dregad

dregad

2017-08-01 05:57

developer   ~0057368

CVE-2017-12061 has been assigned [scr368900]

dregad

dregad

2017-08-01 09:09

developer   ~0057371

The issue is also present in 1.3.11 and earlier. Tracking in 0023175

dregad

dregad

2017-08-04 19:18

developer   ~0057396

OSS security mailing list posting http://www.openwall.com/lists/oss-security/2017/08/01/1

Related Changesets

MantisBT: master-2.5 c73ae3d3

2017-08-01 03:00

dregad


Details Diff
Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146
Affected Issues
0023146
mod - admin/install.php Diff File

MantisBT: master-1.3.x 17f9b94f

2017-08-01 03:00

dregad


Details Diff
Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146

Backported from c73ae3d3d4dd4681489a9e697e8ade785e27cba5
Affected Issues
0023146, 0023175
mod - admin/install.php Diff File