MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability

2010-12-15T00:00:00
ID ZSL-2010-4984
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-12-15T00:00:00

Description

Title: MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability
Advisory ID: ZSL-2010-4984
Type: Local
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 15.12.2010

Summary

MantisBT is a free popular web-based bugtracking system. It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver. MantisBT has been installed on Windows, Linux, Mac OS, OS/2, and others. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).

Description

Mantis Bug Tracker suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the "db_type" parameter (GET & POST) to upgrade_unattended.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

--------------------------------------------------------------------------------

` --> library/adodb/adodb.inc.php

...

4109:
4110: $file = ADODB_DIR."/drivers/adodb-".$db.".inc.php";
4111: @include_once($file);

...
`
--------------------------------------------------------------------------------

Vendor

MantisBT Group - <http://www.mantisbt.org>

Affected Version

<1.2.4

Tested On

Microsoft Windows XP Professional SP3 (English)
Debian GNU/Linux (squeeze)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor Status

[13.12.2010] Vulnerability discovered.
[13.12.2010] Initial contact with the vendor.
[13.12.2010] Vendor responds asking more details.
[13.12.2010] Sent PoC files to the vendor.
[14.12.2010] Vendor confirms the issue.
[15.12.2010] Vendor releases version 1.2.4 to address this issue (+Comment: Delete the "admin" directory after installation).
[15.12.2010] Coordinated public advisory released.

PoC

mantis_lfi.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.mantisbt.org/bugs/view.php?id=12607>
[2] http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.4
[3] <http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=2641fdc60d2032ae1586338d6416e1eadabd7590>
[4] <http://www.mantisbt.org/blog/?p=123>
[5] <http://bugs.gentoo.org/show_bug.cgi?id=348761>
[6] <https://bugzilla.redhat.com/show_bug.cgi?id=663230>
[7] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159>
[8] <https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482>
[9] <http://www.exploit-db.com/exploits/15736/>
[10] <http://www.exploit-db.com/ghdb/3651/>
[11] <http://secunia.com/advisories/42597/>
[12] <http://www.securityfocus.com/bid/45399>
[13] <http://securityreason.com/wlb_show/WLB-2010120069>
[14] <http://xforce.iss.net/xforce/xfdb/64071>
[15] <http://packetstormsecurity.org/files/96733>
[16] <http://osvdb.org/show/osvdb/70157>
[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4350>
[18] <http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052730.html>
[19] <http://www.vupen.com/english/advisories/2011/0002>
[20] <http://lwn.net/Vulnerabilities/421455/>
[21] http://www.nessus.org/plugins/index.php?view=single&id=51359

Changelog

[15.12.2010] - Initial release
[16.12.2010] - Added reference [13] and [14]
[17.12.2010] - Added reference [15]
[30.12.2010] - Added reference [16] and [17]
[05.01.2011] - Added reference [18] and [19]
[06.01.2011] - Added reference [20]
[06.03.2011] - Added reference [21]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;