CVE-2002-1112
CVSS5.0
发布时间 :2002-10-04 00:00:00
修订时间 :2016-10-17 22:23:42
NMCOS    

[原文]Mantis before 0.17.4 allows remote attackers to list project bugs without authentication by modifying the cookie that is used by the "View Bugs" page.


[CNNVD]mantis受限项目漏洞列表查看漏洞(CNNVD-200210-073)

        
        mantis是一款基于WEB的PHP编写MySQL后台支持的漏洞跟踪系统。
        Mantis中用户可以从下拉菜单中选择一个项目,然后与之相关的所有漏洞列表将被显示。
        'View Bugs'页面负责显示一个项目中的漏洞列表,但它没有检查是否用户确实有权访问该项目。攻击者可以通过修改cookie中储存的项目编号变量,来获取该项目的漏洞列表,即使该项目对用户来讲是受限的。
        注意攻击者并不能获取受限项目中漏洞的详细内容,也不能获取受限/私有漏洞的列表。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mantis:mantis:0.15.10
cpe:/a:mantis:mantis:0.15.11
cpe:/a:mantis:mantis:0.15.12
cpe:/a:mantis:mantis:0.15.4
cpe:/a:mantis:mantis:0.17.2
cpe:/a:mantis:mantis:0.15.5
cpe:/a:mantis:mantis:0.17.3
cpe:/a:mantis:mantis:0.15.6
cpe:/a:mantis:mantis:0.15.7
cpe:/a:mantis:mantis:0.16.0
cpe:/a:mantis:mantis:0.16.1
cpe:/a:mantis:mantis:0.17.0
cpe:/a:mantis:mantis:0.15.3
cpe:/a:mantis:mantis:0.17.1
cpe:/a:mantis:mantis:0.15.8
cpe:/a:mantis:mantis:0.15.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1112
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1112
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-073
(官方数据源) CNNVD

- 其它链接及资源

http://mantisbt.sourceforge.net/advisories/2002/2002-03.txt
(UNKNOWN)  CONFIRM  http://mantisbt.sourceforge.net/advisories/2002/2002-03.txt
http://marc.info/?l=bugtraq&m=102978673018271&w=2
(UNKNOWN)  BUGTRAQ  20020819 [Mantis Advisory/2002-03] Bug listings of private projects can be viewed through cookie manipulation
http://www.debian.org/security/2002/dsa-153
(VENDOR_ADVISORY)  DEBIAN  DSA-153
http://www.securityfocus.com/bid/5514
(VENDOR_ADVISORY)  BID  5514
http://xforce.iss.net/xforce/xfdb/9899
(VENDOR_ADVISORY)  XF  mantis-private-project-bug-listing(9899)

- 漏洞信息

mantis受限项目漏洞列表查看漏洞
中危 访问验证错误
2002-10-04 00:00:00 2005-10-12 00:00:00
远程  
        
        mantis是一款基于WEB的PHP编写MySQL后台支持的漏洞跟踪系统。
        Mantis中用户可以从下拉菜单中选择一个项目,然后与之相关的所有漏洞列表将被显示。
        'View Bugs'页面负责显示一个项目中的漏洞列表,但它没有检查是否用户确实有权访问该项目。攻击者可以通过修改cookie中储存的项目编号变量,来获取该项目的漏洞列表,即使该项目对用户来讲是受限的。
        注意攻击者并不能获取受限项目中漏洞的详细内容,也不能获取受限/私有漏洞的列表。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果您无法立刻升级,也可以手工修复此漏洞,在core_user_API.php中增加下列语句:
         # Check to see if the current user has access on the specified project
         function check_access_to_project( $p_project_id ) {
         $t_project_view_state = get_project_field( $p_project_id,
        'view_state' );
         # Administrators ALWAYS pass.
         if ( get_current_user_field( 'access_level' ) >= ADMINISTRATOR ) {
         return;
         }
         # public project accept all users
         if ( PUBLIC == $t_project_view_state ) {
         return;
         } else {
         # private projects require users to be assigned
         $t_project_access_level = get_project_access_level( $p_project_id );
         # -1 means not assigned, kick them out to the project selection screen
         if ( -1 == $t_project_access_level ) {
         print_header_redirect( 'login_select_proj_page.php' );
         } else { # passed
         return;
         }
         }
         }
         在view_all_bug_page.ph中找到下列代码:
         $t_where_clause .= ')';
         }
         } else {
         $t_where_clause = " WHERE project_id='$g_project_cookie_val'";
         }
         # end project selection
         将上述代码替换成:
         $t_where_clause .= ')';
         }
         } else {
         check_access_to_project($g_project_cookie_val);
         $t_where_clause = " WHERE project_id='$g_project_cookie_val'";
         }
         # end project selection
        注:0.17.4a之前的版本还存在其他的严重漏洞,因此CNNVD建议您还是尽快升级到最新版本。
        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-153-2)以及相应补丁:
        DSA-153-2:New mantis package fixes several vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-153

        补丁下载:
        Debian GNU/Linux 3.0 alias woody
        - --------------------------------
         Source archives:
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.2.dsc

         Size/MD5 checksum: 572 b0e1d4b5e021afd1445497e79db30c99
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.2.diff.gz

         Size/MD5 checksum: 13992 808ef6b8552bfd50b9e1a0abb34620fd
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz

         Size/MD5 checksum: 220458 d8bac093eaf31ef5812e714db5c07f82
         Architecture independent components:
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.2_all.deb

         Size/MD5 checksum: 249206 3891cfe394de49d7e57a4b4ed8f7db6f
        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        Mantis
        ------
        目前厂商已经发布了0.17.4a以修复这个安全问题,请到厂商的主页下载:
        
        http://mantisbt.sourceforge.net/download.php3

- 漏洞信息

6212
Mantis Cookie Poison Project Bug Disclosure

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-08-19 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mantis Unauthorized Project Bug List Viewing Vulnerability
Access Validation Error 5514
Yes No
2002-08-19 12:00:00 2009-07-11 03:56:00
Discovery of this issue is credited to Jeroen Latour <jlatour@calaquendi.net>.

- 受影响的程序版本

Mantis Mantis 0.17.3
Mantis Mantis 0.17.2
Mantis Mantis 0.17.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Mantis Mantis 0.17 .0
Mantis Mantis 0.16.1
Mantis Mantis 0.16 .0
Mantis Mantis 0.15.12
Mantis Mantis 0.15.11
Mantis Mantis 0.15.10
Mantis Mantis 0.15.9
Mantis Mantis 0.15.8
Mantis Mantis 0.15.7
Mantis Mantis 0.15.6
Mantis Mantis 0.15.5
Mantis Mantis 0.15.4
Mantis Mantis 0.15.3
Mantis Mantis 0.17.4 a
Mantis Mantis 0.17.4

- 不受影响的程序版本

Mantis Mantis 0.17.4 a
Mantis Mantis 0.17.4

- 漏洞讨论

Mantis is prone to an issue which may allow malicious users of the bug tracking system to gain unauthorized access to restricted projects.

Vulnerable versions of Mantis do not adequately check that a user has access to projects. It has been reported that a malicious user may manipulate values in cookie-based authentication credentials to gain unauthorized viewing rights to bugs in other projects. However, exploitation of this issue is limited to gaining a listing of 'Public' bugs in other projects.

This issue was reported in Mantis 0.17.3. Earlier versions are also believed to be affected.

- 漏洞利用

This issue may be exploited with a web browser and a text editor.

- 解决方案

The vendor has included a source code fix:

Add the following function to core_user_API.php:

# Check to see if the current user has access on the specified project
function check_access_to_project( $p_project_id ) {
$t_project_view_state = get_project_field( $p_project_id,
'view_state' );

# Administrators ALWAYS pass.
if ( get_current_user_field( 'access_level' ) >= ADMINISTRATOR ) {
return;
}

# public project accept all users
if ( PUBLIC == $t_project_view_state ) {
return;
} else {
# private projects require users to be assigned
$t_project_access_level = get_project_access_level( $p_project_id );
# -1 means not assigned, kick them out to the project selection screen
if ( -1 == $t_project_access_level ) {
print_header_redirect( 'login_select_proj_page.php' );
} else { # passed
return;
}
}
}

And in view_all_bug_page.php, replace the following lines:

$t_where_clause .= ')';
}
} else {
$t_where_clause = " WHERE project_id='$g_project_cookie_val'";
}
# end project selection

with the following lines:
$t_where_clause .= ')';
}
} else {
check_access_to_project($g_project_cookie_val);
$t_where_clause = " WHERE project_id='$g_project_cookie_val'";
}
# end project selection

The vendor has addressed this issue in Mantis 0.17.4 and later:


Mantis Mantis 0.15.10

Mantis Mantis 0.15.11

Mantis Mantis 0.15.12

Mantis Mantis 0.15.3

Mantis Mantis 0.15.4

Mantis Mantis 0.15.5

Mantis Mantis 0.15.6

Mantis Mantis 0.15.7

Mantis Mantis 0.15.8

Mantis Mantis 0.15.9

Mantis Mantis 0.16 .0

Mantis Mantis 0.16.1

Mantis Mantis 0.17 .0

Mantis Mantis 0.17.1

Mantis Mantis 0.17.2

Mantis Mantis 0.17.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站