SB2014111804 - Multiple vulnerabilities in MantisBT

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2014-8987)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote administrators to inject arbitrary web script or HTML via the config_option parameter, a different vulnerability than CVE-2014-8986.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Information disclosure (CVE-ID: CVE-2014-9279)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.

3) Cross-site scripting (CVE-ID: CVE-2014-9270)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-8988)

The vulnerability allows a remote #AU# to gain access to sensitive information.

MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.

5) Cross-site scripting (CVE-ID: CVE-2014-8986)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 when processing a crafted config option, a different vulnerability than CVE-2014-8987. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Input validation error (CVE-ID: CVE-2014-7146)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.

Remediation

Install update from vendor's website.

References

• http://www.mantisbt.org/bugs/view.php?id=17870
• http://www.openwall.com/lists/oss-security/2014/11/14/9
• http://www.openwall.com/lists/oss-security/2014/11/15/2
• http://www.openwall.com/lists/oss-security/2014/11/15/3
• http://www.openwall.com/lists/oss-security/2014/11/15/4
• http://www.openwall.com/lists/oss-security/2014/11/19/21
• https://github.com/mantisbt/mantisbt/commit/49c3d089
• http://seclists.org/oss-sec/2014/q4/863
• http://www.mantisbt.org/bugs/view.php?id=17877
• http://www.securityfocus.com/bid/71359
• https://exchange.xforce.ibmcloud.com/vulnerabilities/99031
• https://github.com/mantisbt/mantisbt/commit/0826cef8
• http://seclists.org/oss-sec/2014/q4/867
• http://seclists.org/oss-sec/2014/q4/902
• http://secunia.com/advisories/62101
• http://www.debian.org/security/2015/dsa-3120
• http://www.securityfocus.com/bid/71372
• https://exchange.xforce.ibmcloud.com/vulnerabilities/99037
• https://github.com/mantisbt/mantisbt/commit/0bff06ec
• https://www.mantisbt.org/bugs/view.php?id=17583
• http://seclists.org/oss-sec/2014/q4/693
• http://www.mantisbt.org/bugs/view.php?id=17742
• http://www.openwall.com/lists/oss-security/2014/11/15/6
• http://www.securityfocus.com/bid/71104
• https://exchange.xforce.ibmcloud.com/vulnerabilities/98731
• https://github.com/mantisbt/mantisbt/commit/5f0b150b
• http://www.openwall.com/lists/oss-security/2014/11/15/1
• http://www.openwall.com/lists/oss-security/2014/11/19/20
• https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40
• http://seclists.org/oss-sec/2014/q4/576
• http://www.mantisbt.org/bugs/view.php?id=17725
• http://www.securityfocus.com/bid/70993
• https://exchange.xforce.ibmcloud.com/vulnerabilities/98572
• https://github.com/mantisbt/mantisbt/commit/84017535
• https://github.com/mantisbt/mantisbt/commit/bed19db9