首页 -> 安全研究
安全研究
安全漏洞
Mantis未通过验证可以查看Bug漏洞
发布日期:2002-08-23
更新日期:2002-08-26
受影响系统:
Mantis mantis 0.17.4a不受影响系统:
Mantis mantis 0.17.4
Mantis mantis 0.17.3
Mantis mantis 0.17.2
Mantis mantis 0.17.0
Mantis mantis 0.17.1
- Debian Linux 3.0
Mantis mantis 0.17.5描述:
BUGTRAQ ID: 5563
CVE(CAN) ID: CVE-2002-1115
Mantis是一款开放源代码基于WEB的漏洞跟踪系统,由PHP编写,MYSQL后台支持。
Mantis实现上存在漏洞,攻击者可能利用此漏洞访问到他本应该没有权限看到的漏洞。
Mantis有许多脚本浏览bug数据的时候没有检查用户的权限,远程攻击者可以直接调用这些脚本,并且通过CGI的参数指定bug ID即可浏览所有数据。
<*来源:Jeroen Latour (jlatour@calaquendi.net)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103013249211164&w=2
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
diff -u -r mantis-0.17.4a/bug_update_advanced_page.php
mantis-0.17.5/bug_update_advanced_page.php
--- mantis-0.17.4a/bug_update_advanced_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_advanced_page.php Fri Aug 23 11:55:52 2002
@@ -26,6 +26,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/bug_update_page.php mantis-0.17.5/bug_update_page.php
--- mantis-0.17.4a/bug_update_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_page.php Fri Aug 23 11:56:06 2002
@@ -27,6 +27,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/core_user_API.php mantis-0.17.5/core_user_API.php
--- mantis-0.17.4a/core_user_API.php Sun Aug 18 08:57:20 2002
+++ mantis-0.17.5/core_user_API.php Fri Aug 23 11:52:43 2002
@@ -577,6 +577,23 @@
}
}
# --------------------
+ # check to see if the current user has access to the specified bug.
This assumes that the bug exists and
+ # that the user has access to the project (check_bug_exists() and
project_access_check()).
+ function access_bug_check( $p_bug_id, $p_view_state='' ) {
+ global $g_private_bug_threshold;
+
+ if ( empty ( $p_view_state ) ) {
+ $t_view_state = get_bug_field( $p_bug_id,
'view_state' );
+ } else {
+ $t_view_state = (integer)$p_view_state;
+ }
+
+ # Make sure if the bug is private, the logged in user has
access to it.
+ if ( ( $t_view_state == PRIVATE ) &&
!access_level_check_greater_or_equal( $g_private_bug_threshold ) ) {
+ print_header_redirect( 'logout_page.php' );
+ }
+ }
+ # --------------------
###########################################################################
# User Information API
###########################################################################
diff -u -r mantis-0.17.4a/view_bug_advanced_page.php
mantis-0.17.5/view_bug_advanced_page.php
--- mantis-0.17.4a/view_bug_advanced_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_advanced_page.php Fri Aug 23 11:56:29 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/view_bug_page.php mantis-0.17.5/view_bug_page.php
--- mantis-0.17.4a/view_bug_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_page.php Fri Aug 23 11:57:00 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
厂商补丁:
Mantis
------
目前厂商已经发布了0.17.5以修复这个安全问题,请到厂商的主页下载:
http://mantisbt.sourceforge.net/download.php3
浏览次数:4593
严重程度:0(网友投票)
绿盟科技给您安全的保障