-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:            Multiple vulnerabilities in Mantis           
Name:                TKADV2005-11-002
Revision:            1.0              
Release Date:        2005/12/23 
Last Modified:       2005/12/23 
Date Reported:       2005/11/04
Author:              Tobias Klein (tk at trapkit.de)
Affected Software:   Mantis (all versions <= 0.19.3) 
Risk:                Critical ( ) High ( ) Medium (x) Low (x) 
Vendor URL:          http://www.mantisbt.org 
Vendor Status:       Vendor has released an updated version         

                    
========= 
Overview:
========= 

  Mantis is a widely used php/MySQL/web based bugtracking system.

  Version 0.19.3 and prior contain multiple Cross Site Scripting, 
  SQL Injection and HTTP Header CRLF Injection vulnerabilities. 
  Furthermore it is possible to conduct a denial of service attack
  under certain circumstances.


======================
Vulnerability details: 
======================

For a description of the calculation of the resulting threat of a 
vulnerability see reference [3]. 

All vulnerabilities are exploitable, no matter if magic_quotes_gpc
is turned on or off.


[1] SQL Injection

Possible damage:           Critical
Probability of occurrence: Low
Resulting threat:          Medium

HTTP method: GET

Vulnerability description:

  Mantis is prone to a SQL injection vulnerability. This issue is 
  due to a lack of proper sanitization of user-supplied input before 
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.
  
  This vulnerability can only be successfully exploited by the
  administrative user.

Vulnerable GET parameter: prefix
  
Proof of Concept (GET request):
 
  [path_to_mantis]/manage_user_page.php?prefix=A[SQL]


[2] SQL Injection

Possible damage:           Critical
Probability of occurrence: Low
Resulting threat:          Medium

HTTP method: POST

Vulnerability description:

  Mantis is prone to a SQL injection vulnerability. This issue is 
  due to a lack of proper sanitization of user-supplied input before 
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.

  This vulnerability can only be successfully exploited by the
  administrative user.

Vulnerable URL:

  [path_to_mantis]/manage_user_page.php

Vulnerable POST parameter: sort

Proof of Concept (POST request):

  POST [path_to_mantis]/manage_user_page.php HTTP/1.1

  [...]

  sort=username[SQL]&dir=ASC&save=1


[3] SQL Injection

Possible damage:           Low
Probability of occurrence: High
Resulting threat:          Low

HTTP method: GET

Vulnerability description:

  Mantis is prone to a SQL injection vulnerability. This issue is 
  due to a lack of proper sanitization of user-supplied input before 
  using it in an SQL query.

  Successful exploitation could result in a compromise of the 
  application, disclosure or modification of data, or may permit an 
  attacker to exploit vulnerabilities in the underlying database 
  implementation.

  This vulnerability can be successfully exploited by any anonymous
  user.

  As it is only possible to inject SQL after the ORDER BY statement
  it is very unlikely that this vulnerability can be exploited to 
  do harmful things. Thats why the possible damage is rated as low.

Vulnerable GET Parameter: sort

Proof of Concept (GET request):

  [path_to_mantis]/view_all_set.php?sort=priority[SQL]


[4] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET
XSS type:    non-persistent

Vulnerability description:
	
	The "view_type" parameter is prone to cross-site scripting attacks. 
	This could permit remote attackers to create a malicious link to a 
	vulnerable PHP script that includes hostile client-side script code 
	or HTML. If this link is visited, the attacker-supplied code may be 
	rendered in the browser of the user who visit the malicious link.

  This vulnerability can be successfully exploited by any anonymous
  user.

Vulnerable GET parameter: view_type

Proof of Concept:

	[path_to_mantis]/view_filters_page.php?target_field=reporter_id[]&
	view_type="><script>alert(document.cookie)</script>


[5] Cross Site Scripting

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET
XSS type:    non-persistent

Vulnerability description:
	
	The "target_field" parameter is prone to cross-site scripting
  attacks. This could permit remote attackers to create a malicious 
  link to a vulnerable PHP script that includes hostile client-side
  script code or HTML. If this link is visited, the attacker-supplied
  code may be rendered in the browser of the user who visit the 
  malicious link.
  
  This vulnerability can be successfully exploited by any anonymous
  user.

Vulnerable GET parameter: target_field

Proof of Concept:

  [path_to_mantis]/view_filters_page.php?target_field=
  "><script>alert(document.cookie)</script>


[6] HTTP Header CRLF Injection

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: GET

Vulnerability description:

  There is no input validation performed on user data passed to the 
  "return"-parameter of the application. As a result, malicious users
  may embed CR/LF sequences to inject additional headers into
  outgoing messages.

  This vulnerability can be successfully exploited by any anonymous
  user.

Vulnerable GET parameter: return

Proof of Concept:

	[path_to_mantis]/login_cookie_test.php?return=
	%0d%0aLocation:%20http://www.google.com


[7] HTTP Header CRLF Injection

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: POST

Vulnerability description:

  There is no input validation performed on user data passed to the 
  "ref"-parameter of the application. As a result, malicious users
  may embed CR/LF sequences to inject additional headers into
  outgoing messages.

  This vulnerability can be successfully exploited by any anonymous
  user.

URL with vulnerable POST parameter:

  [path_to_mantis]/login_select_proj_page.php?ref=bug_report_page.php

Vulnerable POST parameter: ref

Proof of Concept (POST request):

  POST [path_to_mantis]/set_project.php HTTP/1.0
  
  [...]
  
  ref=%0d%0aLocation:%20http://www.google.com&project_id=1


[8] Upload files with arbitrary size

Possible damage:           Medium
Probability of occurrence: Low
Resulting threat:          Low

HTTP method: POST

Vulnerability description:

  When the uploading functionality is activated (see config_inc.php) 
  it is possible to upload files with an arbitrary size.

  Normally uploaded files have a max size of 2,000k. This gets 
  enforced by the form-data parameter 'name="max_file_size"'. It is 
  possible to manipulate this parameter to an arbitrary value. As the
  file gets directly uploaded to the database it is possible to fill 
  the available disk space of the database and cause a denial of 
  service.
  
  This vulnerability can be successfully exploited by any anonymous
  user.

URL with vulnerable POST form:

	[path_to_mantis]/view.php?id=1
	
Vulnerable POST request:

  POST [path_to_mantis]/bug_file_add.php HTTP/1.1

  [...]

  -----------------------------263932646429032
  Content-Disposition: form-data; name="bug_id"

  1
  -----------------------------263932646429032
  Content-Disposition: form-data; name="max_file_size"

  2000000  <--- this value can be easily modified
  
  [...]


Other URLs with vulnerable upload feature:

	[path_to_mantis]/bug_report.php
	[path_to_mantis]/bug_report_advanced_page.php
	[path_to_mantis]/proj_doc_add_page.php


========= 
Solution: 
=========

  Upgrade to Mantis 0.19.4 / 1.0.0rc4 or newer.
  
  http://www.mantisbt.org/download.php


======== 
History: 
========

  2005/11/04 - Vendor notified
  2005/11/06 - Vendor response
  2005/11/13 - Contacted vendor regarding status report
  2005/12/18 - Release of new Mantis version 
  2005/12/23 - Public release


======== 
Credits: 
========

  Vulnerabilities found and advisory written by Tobias Klein.


=========== 
References: 
===========

  [1] http://www.trapkit.de/advisories/TKADV2005-11-002.txt
  [2] http://www.trapkit.de/advisories/TKADVcortav.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
The copyright for any material created by the author is reserved. Any
duplication of codes or texts provided here in electronic or printed 
publications is not permitted without the author's agreement.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2005 Tobias Klein. All rights reserved.



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ6xaU5F8YHACG4RBEQIRBQCfRKdoqrMLtkvZIZNCiFXxgKhBE4sAn1lY
tvcVoH5dncXxlUtfsoxfVK/T
=WE1k
-----END PGP SIGNATURE-----