Bug 1162046 (CVE-2014-7146, CVE-2014-8598)

Summary: CVE-2014-7146 CVE-2014-8598 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: giallu, guillaume, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mantis 1.2.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-22 02:09:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1162047, 1162048    
Bug Blocks:    

Description Murray McAllister 2014-11-10 06:29:24 UTC 
CVE-2014-7146 was assigned to the following issue:

""
When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
""

CVE-2014-8598 was assigned to the following issues:

""
The XML Import/Export "official" plugin (i.e. bundled with MantisBT releases) currently does not perform any access level checks in the import and export pages. This leads to the following vulnerabilities:


1) import

Any user of a MantisBT instance with the XML plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level.


This vulnerability is particularly dangerous when used in combination with the one described in issue #17725 [1] (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks.


2) export

There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). 
""

These issues affect versions 1.2.0a3 up to and including 1.2.17. They will be fixed in a future 1.2.18 release.

Upstream fixes:
https://github.com/mantisbt/mantisbt/commit/bed19db9
https://github.com/mantisbt/mantisbt/commit/80a15487

References:
http://seclists.org/oss-sec/2014/q4/576
http://seclists.org/oss-sec/2014/q4/577
Comment 1 Murray McAllister 2014-11-10 06:30:17 UTC 
Created mantis tracking bugs for this issue:

Affects: fedora-all [bug 1162047]
Affects: epel-5 [bug 1162048]
Comment 2 Fedora Update System 2014-12-12 04:01:16 UTC 
mantis-1.2.17-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2014-12-12 04:22:06 UTC 
mantis-1.2.17-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-12-12 04:31:02 UTC 
mantis-1.2.17-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.