Bug 446926 (CVE-2008-2276)

Summary: CVE-2008-2276 mantis: multiple CSRF issues
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: giallu, jreese, rh-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2276
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-28 08:54:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix applied upstream none

Description Tomas Hoger 2008-05-16 17:06:49 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2276 to the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in Mantis 1.1.1 allows
remote attackers to create new administrative users via user_create.

Secunia advisory:
http://secunia.com/advisories/30270

Upstream announcement of the fix in alpha version 1.2.0a1:
http://sourceforge.net/project/shownotes.php?release_id=595025&group_id=14963
- 0008995: [security] CSRF Vulnerabilities in user_create (thraxisp).

Upstream bug report:
http://www.mantisbt.org/bugs/view.php?id=8995

Fix applied upstream:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5132
Comment 1 Tomas Hoger 2008-05-16 17:09:40 UTC 
Created attachment 305711 [details]
Fix applied upstream

svn diff -c 5132 https://mantisbt.svn.sourceforge.net/svnroot/mantisbt
Comment 2 Tomas Hoger 2008-05-16 17:22:23 UTC 
Upstream patch only seems to add checks to make sure POST method is used.  It
seems the attacker should still be able to create a link that would do POST
using JavaScript to achieve the very same results with little more complications.

(This assumption is only based on reading the patch with no testing against mantis.)
Comment 3 Gianluca Sforna 2008-05-17 17:20:59 UTC 
Your assumptions are correct. I am working upstream and I was not satisfied as
well of that solution; can you point me to commonly recognized best practices
against this kind of attacks?

I'm a bit confused because I see this as having a someone convince me doing rm
-rf / is a good thing to do. If I trust him and happen to run it in a root
shell, that does not make a vulnerability in bash (or anything else...)

thanks in advance
Comment 4 John Reese 2008-05-22 20:24:36 UTC 
This has been fixed in upstream version 1.1.x and 1.2.x via SVN commits
5287/5290 and 5288/5292 respectively.
Comment 5 Tomas Hoger 2008-05-26 14:57:58 UTC 
(In reply to comment #3)
> I'm a bit confused because I see this as having a someone convince me doing rm
> -rf / is a good thing to do. If I trust him and happen to run it in a root
> shell, that does not make a vulnerability in bash (or anything else...)

Danger is they may be easier to obfuscate.  If it's possible to perform actions
via GET, something like img src=somescript.php?opts can perform attacker's
actions without giving victim a way to realize something bad is happening.

(In reply to comment #4)
> This has been fixed in upstream version 1.1.x and 1.2.x via SVN commits
> 5287/5290 and 5288/5292 respectively.

Thanks!  Direct link to commits in 1.1 branch:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5287
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5290


Reporters published their original advisory covering this CSRF issue along with
two other issues:

http://marc.info/?l=bugtraq&m=121130774617956&w=4
http://www.ush.it/team/ush/hack-mantis111/adv.txt
Comment 6 Gianluca Sforna 2008-05-26 15:22:04 UTC 
I'm working upstream for a solution on the other issues. How urgent is fixing
the first issue should be treated? in other words, is it better to push a
security update now and another when the other fix is ready or everything
together (possibly within an official 1.1.2 release) ?
Comment 7 Tomas Hoger 2008-05-26 15:36:26 UTC 
So far it seems all issues have low or moderate security impact, hence no urgent
priority I believe.  Do you know what is the expected release date for 1.1.2? 
Probably not worth doing backports if new upstream version is expected any time
soon.
Comment 8 Fedora Update System 2008-07-19 22:10:52 UTC 
mantis-1.1.2-1.fc9 has been submitted as an update for Fedora 9
Comment 9 Fedora Update System 2008-07-19 22:14:35 UTC 
mantis-1.1.2-1.fc8 has been submitted as an update for Fedora 8
Comment 10 Fedora Update System 2008-07-23 07:20:03 UTC 
mantis-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-07-23 07:21:35 UTC 
mantis-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Red Hat Product Security 2008-07-28 08:54:52 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6657
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6647