Package: mantis
Version: 1.2.11-1.2
Tags: security
It seems, that a bug in Ubuntu [2] mantis package is also present in package
mantis_1.2.11-1.2_all.deb (Debian stable).
The problematic code is in /usr/share/mantis/www/admin/install.php causing
mantis-install to grant privileges to wrong user@hostname combination. This is
only relevant when apache-server and database are not on the same host. The
correct grant should be [user]@[webserver hostname/IP] to grant only access to
webserver but grants privileges to [user]@[database host name] instead. When
mysql is running in hardened setup, this also causes installation procedure to
fail since webserver cannot use the database.
$t_result = @$g_db->Connect ( $f_hostname,
$f_admin_username, $f_admin_password, $f_database_name);
switch ($f_db_type) {
case 'mysql' :
case 'mysqli' :
//grant privileges
$t_query_grant ="GRANT ALL ON
`".$f_database_name."`.* TO `".$f_db_username."`@`".$f_hostname."` IDENTIFIED
BY '".$f_db_password."' ";
Correct implementation should perhaps take the IP/hostname of the currently
executed query remote user and use that when granting privileges.
This bug has only very little security implications since unexpected and
unnecessary GRANT entry is created in mysql.user table but the new account is
still password protected and connections would only be possible from other
process on database host itself (or does mysql support switching of user via
SQL-command and local connection?). Flagging it as "security" still, perhaps
someone else might know a more problematic scenario.
Current mantisbt-1.2.15 for download from mantisbt.org does not create any
users (see [1]), so this code might have been removed/fixed between version
1.2.11 and 1.2.15 or may be a Debian-specific addition.
[1] http://www.mantisbt.org/forums/viewtopic.php?f=3&t=21663
[2] https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1222713
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
