Bug 448410 (CVE-2008-3332)

Summary: CVE-2008-3332 mantis: code execution by users with administrative privileges
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: giallu, jreese, rh-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-28 08:55:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-05-26 15:28:31 UTC 
Antonio "s4tan" Parata and Francesco "ascii" Ongaro discovered that mantis 1.1.1
allows administrative accounts to execute arbitrary PHP code using a flaw in the
adm_config:

  C) Remote Code Execution Vulnerabilities

  Finally we present the most critical vulnerability. A Remote Code
  Execution vulnerability exists in the software, but it can be exploited
  only if the attacker has a valid administrator account, so it could be
  ideal if used in conjunction with the previous one. The vulnerability
  is in the file adm_config_set.php. On row 80 we have the following
  statement:

  eval( '$t_value = ' . $f_value . ';' );

  where the $f_value is defined at row 34 of the same file:

  $f_value = gpc_get_string( 'value' );

  the parameter $f_value is never validated, so we can exploit this issue
  with the following url which executes the phpinfo() function:

  http://www.example.com/mantis/adm_config_set.php?user_id=0&project_id=0
  &config_option=cache_config&type=0&value=0;phpinfo()

References:
http://marc.info/?l=bugtraq&m=121130774617956&w=4
http://www.ush.it/team/ush/hack-mantis111/adv.txt

Upstream bug reports (currently restricted):
http://www.mantisbt.org/bugs/view.php?id=8976
http://www.mantisbt.org/bugs/view.php?id=8980

Upstream commit in 1.1 SVN branch:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5121
(partial fix according to the commit message)

This is probably not an issue in situations when all admin mantis users are
expected to be able to execute own PHP scripts on the host with the privileges
of web server (e.g. when they also have normal user account and web server
configured to serve content of public_html directories).
Comment 1 Fedora Update System 2008-07-19 22:10:56 UTC 
mantis-1.1.2-1.fc9 has been submitted as an update for Fedora 9
Comment 2 Fedora Update System 2008-07-19 22:14:39 UTC 
mantis-1.1.2-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-07-23 07:20:07 UTC 
mantis-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2008-07-23 07:21:37 UTC 
mantis-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Tomas Hoger 2008-07-28 08:53:58 UTC 
CVE-2008-3332:
Eval injection vulnerability in adm_config_set.php in Mantis before
1.1.2 allows remote authenticated administrators to execute arbitrary
code via the value parameter.
Comment 6 Red Hat Product Security 2008-07-28 08:55:40 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6657
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6647