View Issue Details

IDProjectCategoryView StatusLast Update
0027351mantisbtbugtrackerpublic2020-12-30 07:30
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityalways
Status assignedResolutionopen 
PlatformWindowsOSWindowsOS VersionWindows
Product Version2.24.3 
Summary0027351: Prevent updating Issue with invalid values for ETA and Projection
Description

Apologize for the summary I am not sure for that one but If I am correct I also read the same issues (where someting about SQL syntax and prints @int@).

I am just playing with the config (and I am looking for the config to turn on the repository but no luck)

If I am not mistaken I read some issues where it prints @int@

This @int@ is result if the Admin select on the select field and the selection doesn't exist

Steps To Reproduce
  • Make sure you enable the ETA field

  • Go to any issues, edit it

  • Open your proxy

  • Edit the ETA field

The default selection have 6 fields including none

  • Update the information

Request

POST /mantisbt/bug_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 511
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/bug_update_page.php
Cookie: MANTIS_PROJECT_COOKIE=1; MANTIS_STRING_COOKIE=JbbVOGNh1qb1RUdLiCrzBSJCGGHCx9eO9s3pm02cOZSBZuJdZrazRUCE_XrJvb7i; PHPSESSID=n3tmk4a409i9qu1k386lkeahnp; MANTIS_secure_session=1
Upgrade-Insecure-Requests: 1

bug_update_token=20200926iA3docGYexu0uD5dEHHuxRupzXTyMeS6&bug_id=1&last_updated=1601112787&category_id=1&view_state=10&handler_id=6&priority=30&severity=50&reproducibility=70&status=50&resolution=10&projection=10&eta=30&platform=&os=&os_build=&summary=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&description=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&steps_to_reproduce=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&additional_information=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&bugnote_text=

Response

HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 10:38:27 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 10:38:27 GMT
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 10:38:27 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/view.php?id=1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

Exploit

  • Do the same thing but now edit the value of eta

Exploit request

POST /mantisbt/bug_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 520
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/bug_update_page.php
Cookie: MANTIS_PROJECT_COOKIE=1; MANTIS_STRING_COOKIE=JbbVOGNh1qb1RUdLiCrzBSJCGGHCx9eO9s3pm02cOZSBZuJdZrazRUCE_XrJvb7i; PHPSESSID=n3tmk4a409i9qu1k386lkeahnp; MANTIS_secure_session=1
Upgrade-Insecure-Requests: 1

bug_update_token=20200926CWnX6mJ2XwOGX6x_z_dL5VlQN1uAgVIl&bug_id=1&last_updated=1601116707&category_id=1&view_state=10&handler_id=6&priority=30&severity=50&reproducibility=70&status=50&resolution=10&projection=10&eta=21312312321&platform=&os=&os_build=&summary=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&description=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&steps_to_reproduce=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&additional_information=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&bugnote_text=

Exploit response

HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 10:40:01 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 10:40:01 GMT
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 10:40:01 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/view.php?id=1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Refresh the site and the ETA field will render @32767@
Additional Information

In case you need a PoC please mention it (can't upload attachment due to internet issue..)

TagsNo tags attached.

Relationships

related to 0027807 assigneddregad Prevent silent update of invalid enum fields when editing issue 

Activities

d3vpoo1

d3vpoo1

2020-09-26 06:54

reporter   ~0064490

Hello ! I didn't notice the projection field and this field also vulnerable to this issue, should I open a new ticket for that one ?

If the case is I shouldn't open

My payload here is 911111111111110 and this prints @32767@ too

dregad

dregad

2020-09-26 17:33

developer   ~0064494

The display of @xxx@ is by design, this is actually the expected behavior when a field is associated with an enumeration ($g_eta_enum_string and $g_projection_enum_string in this case), which is a configurable setting, and the value stored in the database does not exist in the enum's definition.

I am not able to reproduce your @32767@ scenario; when a value bigger than max for smallint type, I get a MySQL error 1264: Out of range value for column 'eta' .

As it stands I wouldn't consider this as a bug..

d3vpoo1

d3vpoo1

2020-09-27 17:24

reporter   ~0064501

I don't edit the g_eta_enum_string and g_projection_enum_string

$g_projection_enum_string = '10:none,30:tweak,50:minor fix,70:major rework,90:redesign';

/**
 *
 * @global string $g_eta_enum_string
 */
$g_eta_enum_string = '10:none,20:< 1 day,30:2-3 days,40:< 1 week,50:< 1 month,60:> 1 month';
@@.png (38,413 bytes)   
@@.png (38,413 bytes)   
dregad

dregad

2020-11-21 19:53

developer   ~0064674

This one I don't consider as a security issue, as the only impact is storing some data that cannot be rendered by Mantis.

Nevertheless, I will implement a fix to prevent updating the Issue record with ETA data that is not defined in the enum string; an error message will be thrown in this case.

dregad

dregad

2020-12-28 19:17

developer   ~0064856

There was some argument from @vboctor during code review:

It unclear to me why this [dregad: i.e. the extra check for eta and projection] is needed here, but not needed for priority, severity, etc? Does it make sense to have gpc_get_enum( $p_name, $p_default, $p_valid_values ). Though I wonder if it is worth it, since we will have the @xxx@ case of the enum config gets updated and some values removed anyways. I would say we should assume the right values passed and the action page is validating it is called properly via security token and that should be enough.

Considering the above, and the fact that this is not really a security issue, although it could introduce data inconsistency (but that is quite visible in the UI as the invalid entries are shown as @xxx@), and there are some quite complex implications in terms of testing to introduce the same change for all enums, I'm dropping this from the 2.24.4 scope for now, to be revisited at some later point.

Related Changesets

MantisBT: master e5a44f81

2020-12-28 19:22:18

dregad

Details Diff
BugData::_set() handle eta as int

The eta field was not included in the switch, so was dealt with by the
default case and treated as string while it is in fact an enum and
should be handled as int.

Issue 0027351
Affected Issues
0027351
mod - core/bug_api.php Diff File