View Issue Details

IDProjectCategoryView StatusLast Update
0027351mantisbtbugtrackerpublic2020-11-21 19:55
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityalways
Status assignedResolutionopen 
PlatformWindowsOSWindowsOS VersionWindows
Product Version2.24.3 
Target Version2.24.4 
Summary0027351: Prevent updating Issue with invalid values for ETA and Projection
Description

Apologize for the summary I am not sure for that one but If I am correct I also read the same issues (where someting about SQL syntax and prints @int@).

I am just playing with the config (and I am looking for the config to turn on the repository but no luck)

If I am not mistaken I read some issues where it prints @int@

This @int@ is result if the Admin select on the select field and the selection doesn't exist

Steps To Reproduce
  • Make sure you enable the ETA field

  • Go to any issues, edit it

  • Open your proxy

  • Edit the ETA field

The default selection have 6 fields including none

  • Update the information

Request

POST /mantisbt/bug_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 511
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/bug_update_page.php
Cookie: MANTIS_PROJECT_COOKIE=1; MANTIS_STRING_COOKIE=JbbVOGNh1qb1RUdLiCrzBSJCGGHCx9eO9s3pm02cOZSBZuJdZrazRUCE_XrJvb7i; PHPSESSID=n3tmk4a409i9qu1k386lkeahnp; MANTIS_secure_session=1
Upgrade-Insecure-Requests: 1

bug_update_token=20200926iA3docGYexu0uD5dEHHuxRupzXTyMeS6&bug_id=1&last_updated=1601112787&category_id=1&view_state=10&handler_id=6&priority=30&severity=50&reproducibility=70&status=50&resolution=10&projection=10&eta=30&platform=&os=&os_build=&summary=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&description=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&steps_to_reproduce=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&additional_information=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&bugnote_text=

Response

HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 10:38:27 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 10:38:27 GMT
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 10:38:27 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/view.php?id=1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

Exploit

  • Do the same thing but now edit the value of eta

Exploit request

POST /mantisbt/bug_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 520
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/bug_update_page.php
Cookie: MANTIS_PROJECT_COOKIE=1; MANTIS_STRING_COOKIE=JbbVOGNh1qb1RUdLiCrzBSJCGGHCx9eO9s3pm02cOZSBZuJdZrazRUCE_XrJvb7i; PHPSESSID=n3tmk4a409i9qu1k386lkeahnp; MANTIS_secure_session=1
Upgrade-Insecure-Requests: 1

bug_update_token=20200926CWnX6mJ2XwOGX6x_z_dL5VlQN1uAgVIl&bug_id=1&last_updated=1601116707&category_id=1&view_state=10&handler_id=6&priority=30&severity=50&reproducibility=70&status=50&resolution=10&projection=10&eta=21312312321&platform=&os=&os_build=&summary=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&description=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&steps_to_reproduce=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&additional_information=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&bugnote_text=

Exploit response

HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 10:40:01 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 10:40:01 GMT
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 10:40:01 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/view.php?id=1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Refresh the site and the ETA field will render @32767@
Additional Information

In case you need a PoC please mention it (can't upload attachment due to internet issue..)

TagsNo tags attached.

Activities

d3vpoo1

d3vpoo1

2020-09-26 06:54

reporter   ~0064490

Hello ! I didn't notice the projection field and this field also vulnerable to this issue, should I open a new ticket for that one ?

If the case is I shouldn't open

My payload here is 911111111111110 and this prints @32767@ too

dregad

dregad

2020-09-26 17:33

developer   ~0064494

The display of @xxx@ is by design, this is actually the expected behavior when a field is associated with an enumeration ($g_eta_enum_string and $g_projection_enum_string in this case), which is a configurable setting, and the value stored in the database does not exist in the enum's definition.

I am not able to reproduce your @32767@ scenario; when a value bigger than max for smallint type, I get a MySQL error 1264: Out of range value for column 'eta' .

As it stands I wouldn't consider this as a bug..

d3vpoo1

d3vpoo1

2020-09-27 17:24

reporter   ~0064501

I don't edit the g_eta_enum_string and g_projection_enum_string

$g_projection_enum_string = '10:none,30:tweak,50:minor fix,70:major rework,90:redesign';

/**
 *
 * @global string $g_eta_enum_string
 */
$g_eta_enum_string = '10:none,20:< 1 day,30:2-3 days,40:< 1 week,50:< 1 month,60:> 1 month';
@@.png (38,413 bytes)   
@@.png (38,413 bytes)   
dregad

dregad

2020-11-21 19:53

developer   ~0064674

This one I don't consider as a security issue, as the only impact is storing some data that cannot be rendered by Mantis.

Nevertheless, I will implement a fix to prevent updating the Issue record with ETA data that is not defined in the enum string; an error message will be thrown in this case.

Issue History

Date Modified Username Field Change
2020-09-26 06:44 d3vpoo1 New Issue
2020-09-26 06:54 d3vpoo1 Note Added: 0064490
2020-09-26 17:33 dregad Note Added: 0064494
2020-09-27 17:24 d3vpoo1 Note Added: 0064501
2020-09-27 17:24 d3vpoo1 File Added: @@.png
2020-11-21 19:53 dregad Assigned To => dregad
2020-11-21 19:53 dregad Status new => assigned
2020-11-21 19:53 dregad Category security => bugtracker
2020-11-21 19:53 dregad Target Version => 2.24.4
2020-11-21 19:53 dregad View Status private => public
2020-11-21 19:53 dregad Note Added: 0064674
2020-11-21 19:55 dregad Summary SQL Syntax Error ?? (ETA field) => Prevent updating Issue with invalid values for ETA and Projection