Vulners
Lucene search
BuHa-7.txt
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
---------------------------------------------------
| BuHa Security-Advisory #7 | Feb 14th, 2006 |
---------------------------------------------------
| Vendor | Mantis BT |
| URL | http://www.mantisbt.org/ |
| Version | <= Mantis 1.00rc4 |
| Risk | Moderate |
---------------------------------------------------
o Description:
=============
Mantis is a web-based bugtracking system. It is written in the PHP
scripting language and requires the MySQL database and a webserver.
Visit http://www.mantisbt.org/ for detailed information.
o SQL-Injection:
===============
> > /manage_user_page.php:
GET: <?sort=last_visit'>
The manipulated data of the sort parameter is saved into
"MANTIS_MANAGE_COOKIE" cookie. The value of the cookie is inserted
into a SQL query and everytime the page is loaded a MySQL database
error is displayed.
> > You have an error in your SQL syntax; check the manual that
> > corresponds to your MySQL server version for the right syntax
> > to use near '\"> ASC' at line 4 for the query:
> > SELECT *
> > FROM mantis_user_table
> > WHERE (1 = 1)
> > ORDER BY last_visit\' AS
Unexploitable SQL-Injection, temporary defacement.
o XSS:
=====
> > /view_all_set.php:
GET: <?type=1&handler_id=1&hide_status=[XSS]>
GET: <?type=1&handler_id=[XSS]>
GET: <?type=1&temporary=y&user_monitor=[XSS]>
GET: <?type=1&temporary=y&reporter_id=[XSS]>
GET: <?type=6&view_type=[XSS]>
GET: <?type=1&show_severity=[XSS]>
GET: <?type=1&show_category=[XSS]>
GET: <?type=1&show_status=[XSS]>
GET: <?type=1&show_resolution=[XSS]>
GET: <?type=1&show_build=[XSS]>
GET: <?type=1&show_profile=[XSS]>
GET: <?type=1&show_priority=[XSS]>
GET: <?type=1&highlight_changed=[XSS]>
GET: <?type=1&relationship_type=[XSS]>
GET: <?type=1&relationship_bug=[XSS]>
> > /manage_user_page.php:
GET: <?sort=[XSS]>
> > /view_filters_page.php:
GET: </view_filters_page.php?view_type=[XSS]>
> > /proj_doc_delete.php:
GET: <?file_id=1&title=[XSS]>
o Disclosure Timeline:
=====================
08 Oct 05 - Security flaws discovered.
17 Nov 05 - Vendor contacted.
15 Dec 05 - Vendor contacted again.
18 Dec 05 - Vendor confirmed vulnerabilities.
18 Dec 05 - Vendor released partly bugfixed version.
19 Dec 05 - Vendor contacted again.
03 Feb 06 - Vendor released bugfixed version.
14 Feb 06 - Public release.
o Solution:
==========
Upgrade to Mantis 1.0.0. [1]
o Credits:
=========
Thomas Waldegger <[email protected]>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[email protected]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.
Greets fly out to cyrus-tc, destructor, nait, trappy and all
members of BuHa.
Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt
[1] http://www.mantisbt.org/download.php
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw
Yw3XgTq5MxLHSGX7hExkDpQ=
=nRmi
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Feb 2006 00:00Current
7.4High risk
Vulners AI Score7.4