Martin Schulze wrote:
> > Thijs Kinkhorst wrote:
> > > > Another security problem has been found in mantis. Insufficient
> > > > input sanitising of the t_core_path parameter may be exploited to
> > > > perform
> > > > arbitrary file inclusion. Please see
> > > > http://secunia.com/secunia_research/2005-46/advisory/ for details.
> > >
> > > Hello Moritz,
> > >
> > > Thank you for your report. I've prepared an NMU for all the recent
> > > security problems in Mantis which is now awaiting review by my sponsor.
> >
> > I assume you've prepared packages of 0.19.3?
> > This would address the SQL injection issue and the other XSS in view_all_set
> > as well, which are both not yet in the BTS.
> >
> > The latest issues have been assigned CVE-2005-333[6789], BTW.
>
> Do you have an idea which of them affect woody/sarge?
All affect Sarge. 0.19.2 -> 0.19.3 only contains the security fixes plus a minor
non-security bug fix, so it should be rather easy to extract the patches.
I've attached a white-space-cleaned interdiff. More could be stripped, but
I'm not entirely sure which code is related to
" [bugtracker] System warning in login_page.php when no new installation
(vboctor)"
(this is the only non-security change listed, but I'm not sure which one it is)
Woody seems unaffected, but 3337 should be double-checked in a real-life
environment.
CVE-2005-3339: (mantis bug 6097)
The vulnerable code is not present.
CVE-2005-3338: (mantis bug 5247)
The vulnerable code isn't present, either.
CVE-2005-3337: (mantis bugs 5959, 5751)
Access to the bug description of 5959 is restricted, but view_all_set.php is
not
present in Woody's version, so it shouldn't be vulnerable.
The XSS from 5751 can only be triggered through code from
bug_actiongroup_page.php,
which is not present in Woody, but might have an equivalent in 0.17. I couldn't
find it with grep, but it should again be tested in a production mantis
environment,
as the bug contains a demo page with the XSS.
CVE-2005-3336: (mantis bug 6275)
This one is denied as well, but judging from the interdiff the injection would
take place in lost_pwd.php and that code isn't present in 0.17
CVE-2005-3335: (mantis bug 6273)
Denied again, but with the information from the original Secunia advisory I'm
sure
Woody isn't affected either, as the vulnerable functionality isn't present in
0.17.
Cheers,
Moritz
diff -Nawur mantis-0.19.2/bug_actiongroup_page.php
mantis-0.19.3/bug_actiongroup_page.php
--- mantis-0.19.2/bug_actiongroup_page.php 2004-11-22 14:36:50.000000000
+0100
+++ mantis-0.19.3/bug_actiongroup_page.php 2005-09-25 15:33:48.000000000
+0200
@@ -114,7 +114,7 @@
foreach( $f_bug_arr as $t_bug_id ) {
$t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
$t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td>
</tr>\n"
- , get_status_color( bug_get_field( $t_bug_id, 'status' ) ),
string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' )
+ , get_status_color( bug_get_field( $t_bug_id, 'status' ) ),
string_get_bug_view_link( $t_bug_id ), string_attribute( bug_get_field(
$t_bug_id, 'summary' ) )
);
echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '"
/>' . "\n";
}
diff -Nawur mantis-0.19.2/bug_sponsorship_list_view_inc.php
mantis-0.19.3/bug_sponsorship_list_view_inc.php
--- mantis-0.19.2/bug_sponsorship_list_view_inc.php 2004-07-21
14:38:36.000000000 +0200
+++ mantis-0.19.3/bug_sponsorship_list_view_inc.php 2005-09-22
12:53:56.000000000 +0200
@@ -6,13 +6,15 @@
# See the files README and LICENSE for details
# --------------------------------------------------------
- # $Id: bug_sponsorship_list_view_inc.php,v 1.10 2004/07/21 12:38:36
vboctor Exp $
+ # $Id: bug_sponsorship_list_view_inc.php,v 1.10.8.1 2005/09/22 10:53:57
vboctor Exp $
# --------------------------------------------------------
?>
<?php
# This include file prints out the list of users sponsoring the current
# bug. $f_bug_id must be set to the bug id
+ $t_core_path = config_get( 'core_path' );
+
require_once( $t_core_path . 'sponsorship_api.php' );
require_once( $t_core_path . 'collapse_api.php' );
diff -Nawur mantis-0.19.2/core/authentication_api.php
mantis-0.19.3/core/authentication_api.php
--- mantis-0.19.2/core/authentication_api.php 2004-08-14 17:26:20.000000000
+0200
+++ mantis-0.19.3/core/authentication_api.php 2005-09-25 15:27:24.000000000
+0200
@@ -135,7 +135,7 @@
# --------------------
# Allows scripts to login using a login name or ( login name + password
)
function auth_attempt_script_login( $p_username, $p_password = null ) {
- global $g_script_login_cookie;
+ global $g_script_login_cookie, $g_cache_current_user_id;
$t_user_id = user_get_id_by_name( $p_username );
@@ -161,6 +161,9 @@
# set the cookies
$g_script_login_cookie = $t_user['cookie_string'];
+ # cache user id for future reference
+ $g_cache_current_user_id = $t_user_id;
+
return true;
}
@@ -341,19 +344,26 @@
# --------------------
# Return the current user login cookie string,
- # if no user is logged in and anonymous login is enabled, returns
cookie for anonymous user
+ # note that the cookie cached by a script login superceeds the cookie
provided by
+ # the browser. This shouldn't normally matter, except that the
password verification uses
+ # this routine to bypass the normal authentication, and can get
confused when a normal user
+ # logs in, then runs the verify script. the act of fetching config
variables may get the wrong
+ # userid. # if no user is logged in and anonymous login is
enabled, returns cookie for anonymous user
# otherwise returns '' (an empty string)
function auth_get_current_user_cookie() {
global $g_script_login_cookie;
+ # if logging in via a script, return that cookie
+ if ( $g_script_login_cookie !== null ) {
+ return $g_script_login_cookie;
+ }
+
+ # fetch user cookie
$t_cookie_name = config_get( 'string_cookie' );
$t_cookie = gpc_get_cookie( $t_cookie_name, '' );
# if cookie not found, and anonymous login enabled, use cookie
of anonymous account.
if ( is_blank( $t_cookie ) ) {
- if ( $g_script_login_cookie !== null ) {
- return $g_script_login_cookie;
- } else {
if ( ON == config_get( 'allow_anonymous_login'
) ) {
$query = sprintf('SELECT id,
cookie_string FROM %s WHERE username = "%s"',
config_get(
'mantis_user_table' ), config_get( 'anonymous_account' ) );
@@ -365,7 +375,6 @@
}
}
}
- }
return $t_cookie;
}
diff -Nawur mantis-0.19.2/core/current_user_api.php
mantis-0.19.3/core/current_user_api.php
--- mantis-0.19.2/core/current_user_api.php 2004-11-19 13:29:00.000000000
+0100
+++ mantis-0.19.3/core/current_user_api.php 2005-10-11 14:06:32.000000000
+0200
@@ -78,7 +78,8 @@
# --------------------
# Return true if the currently user is the anonymous user
function current_user_is_anonymous() {
- return current_user_get_field( 'username' ) == config_get(
'anonymous_account' );
+ $t_anonymous_account = config_get( 'anonymous_account' );
+ return ( !is_blank( $t_anonymous_account ) && (
current_user_get_field( 'username' ) == $t_anonymous_account ) );
}
# --------------------
# Trigger an ERROR if the current user account is protected
diff -Nawur mantis-0.19.2/core/email_api.php mantis-0.19.3/core/email_api.php
--- mantis-0.19.2/core/email_api.php 2004-10-05 23:10:14.000000000 +0200
+++ mantis-0.19.3/core/email_api.php 2005-09-25 15:50:28.000000000 +0200
@@ -768,20 +768,28 @@
$p_recipients = array( $p_recipients );
}
- $result = array();
- foreach ( $p_recipients as $t_recipient ) {
-
- lang_push( user_pref_get_language( $t_recipient,
bug_get_field( $p_bug_id, 'project_id' ) ) );
+ $t_project_id = bug_get_field( $p_bug_id, 'project_id' );
+ $t_sender_id = auth_get_current_user_id();
+ $t_sender = user_get_name( $t_sender_id );
$t_subject = email_build_subject( $p_bug_id );
- $t_sender = current_user_get_field( 'username' ) . ' <'
.
- current_user_get_field( 'email'
) . '>' ;
$t_date = date( config_get( 'normal_date_format' ) );
- $t_header = "\n" . lang_get( 'on' ) . " $t_date,
$t_sender " .
- lang_get(
'sent_you_this_reminder_about' ) . ":\n\n";
+
+ $result = array();
+ foreach ( $p_recipients as $t_recipient ) {
+ lang_push( user_pref_get_language( $t_recipient,
$t_project_id ) );
$t_email = user_get_email( $t_recipient );
$result[] = user_get_name( $t_recipient );
+
+ if ( access_has_project_level( config_get(
'show_user_email_threshold' ), $t_project_id, $t_recipient ) ) {
+ $t_sender_email .= ' <' .
current_user_get_field( 'email' ) . '>' ;
+ } else {
+ $t_sender_email = '';
+ }
+ $t_header = "\n" . lang_get( 'on' ) . " $t_date,
$t_sender $t_sender_email " .
+ lang_get(
'sent_you_this_reminder_about' ) . ": \n\n";
+
$t_contents = $t_header .
string_get_bug_view_url_with_fqdn( $p_bug_id, $t_recipient ) .
"\n\n$p_message";
diff -Nawur mantis-0.19.2/core/filter_api.php mantis-0.19.3/core/filter_api.php
--- mantis-0.19.2/core/filter_api.php 2004-11-19 14:06:30.000000000 +0100
+++ mantis-0.19.3/core/filter_api.php 2005-09-25 15:39:50.000000000 +0200
@@ -753,7 +753,7 @@
?>
<br />
- <form method="post" name="filters" action="<?php PRINT
$t_action; ?>">
+ <form method="post" name="filters" action="<?php PRINT
htmlentities($t_action); ?>">
<input type="hidden" name="type" value="5" />
<?php
if ( $p_for_screen == false ) {
@@ -761,10 +761,10 @@
PRINT '<input type="hidden" name="offset"
value="0" />';
}
?>
- <input type="hidden" name="sort" value="<?php PRINT $t_sort ?>"
/>
- <input type="hidden" name="dir" value="<?php PRINT $t_dir ?>" />
- <input type="hidden" name="page_number" value="<?php PRINT
$p_page_number ?>" />
- <input type="hidden" name="view_type" value="<?php PRINT
$t_view_type ?>" />
+ <input type="hidden" name="sort" value="<?php PRINT
htmlentities($t_sort) ?>" />
+ <input type="hidden" name="dir" value="<?php PRINT
htmlentities($t_dir) ?>" />
+ <input type="hidden" name="page_number" value="<?php PRINT
htmlentities($p_page_number) ?>" />
+ <input type="hidden" name="view_type" value="<?php PRINT
htmlentities($t_view_type) ?>" />
<table class="width100" cellspacing="1">
<?php
diff -Nawur mantis-0.19.2/lost_pwd.php mantis-0.19.3/lost_pwd.php
--- mantis-0.19.2/lost_pwd.php 2004-10-25 21:45:04.000000000 +0200
+++ mantis-0.19.3/lost_pwd.php 2005-09-22 13:11:34.000000000 +0200
@@ -27,9 +27,12 @@
$f_email = email_append_domain( $f_email );
email_ensure_valid( $f_email );
+ $c_username = db_prepare_string( $f_username );
+ $c_email = db_prepare_string( $f_email );
+
$t_user_table = config_get( 'mantis_user_table' );
- $query = 'SELECT id FROM ' . $t_user_table . ' WHERE username = \'' .
$f_username . '\' and email = \'' . $f_email . '\'';
+ $query = 'SELECT id FROM ' . $t_user_table . ' WHERE username = \'' .
$c_username . '\' and email = \'' . $c_email . '\'';
$result = db_query( $query );
if ( 0 == db_num_rows( $result ) ) {
