-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #7 | Feb 14th, 2006 | --------------------------------------------------- | Vendor | Mantis BT | | URL | http://www.mantisbt.org/ | | Version | <= Mantis 1.00rc4 | | Risk | Moderate | --------------------------------------------------- o Description: ============= Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Visit http://www.mantisbt.org/ for detailed information. o SQL-Injection: =============== > > /manage_user_page.php: GET: The manipulated data of the sort parameter is saved into "MANTIS_MANAGE_COOKIE" cookie. The value of the cookie is inserted into a SQL query and everytime the page is loaded a MySQL database error is displayed. > > You have an error in your SQL syntax; check the manual that > > corresponds to your MySQL server version for the right syntax > > to use near '\"> ASC' at line 4 for the query: > > SELECT * > > FROM mantis_user_table > > WHERE (1 = 1) > > ORDER BY last_visit\' AS Unexploitable SQL-Injection, temporary defacement. o XSS: ===== > > /view_all_set.php: GET: GET: GET: GET: GET: GET: GET: GET: GET: GET: GET: GET: GET: GET: GET: > > /manage_user_page.php: GET: > > /view_filters_page.php: GET: > > /proj_doc_delete.php: GET: o Disclosure Timeline: ===================== 08 Oct 05 - Security flaws discovered. 17 Nov 05 - Vendor contacted. 15 Dec 05 - Vendor contacted again. 18 Dec 05 - Vendor confirmed vulnerabilities. 18 Dec 05 - Vendor released partly bugfixed version. 19 Dec 05 - Vendor contacted again. 03 Feb 06 - Vendor released bugfixed version. 14 Feb 06 - Public release. o Solution: ========== Upgrade to Mantis 1.0.0. [1] o Credits: ========= Thomas Waldegger BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@morph3us.org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt [1] http://www.mantisbt.org/download.php -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw Yw3XgTq5MxLHSGX7hExkDpQ= =nRmi -----END PGP SIGNATURE-----