CVE-2014-8598
published 2014-11-18CVE-2014-8598: The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or…
PriorityP355medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
38.46%
98.4th percentile
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mantisbt | mantisbt | <= 1.2.17 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to plugin.php?page=XmlImportExport/import_action containing multipart XML file uploads; the payload is embedded in the <description> field or issuelink attribute of the XML using the pattern {${eval(base64_decode(...))}}. ↗
- →Alert on unauthenticated or low-privilege access to the XmlImportExport import and export pages; the plugin does not perform access level checks, making exploitation possible even with anonymous users. ↗
- →Detect XML file uploads to MantisBT containing base64-encoded PHP payloads within the description or issuelink fields, specifically the eval(base64_decode(...)) pattern used by the exploit. ↗
- →Flag access to the XmlImportExport export page by any user without appropriate access level, as it can expose all bug-related data including usernames. ↗
- →Inspect SOAP requests to mantisconnect.php for version fingerprinting activity (mc_version calls), which is used by the exploit module to confirm a vulnerable MantisBT instance before exploitation. ↗
- ·The vulnerability is only exploitable when the XmlImportExport plugin is installed and enabled in MantisBT; instances without the plugin are not affected. ↗
- ·Exploitation without credentials is only possible if anonymous access is enabled on the MantisBT instance; otherwise, at minimum a low-privilege authenticated account is required. ↗
- ·CVE-2014-8598 (access control bypass) is most dangerous when chained with CVE-2014-7146 (preg_replace /e code injection); the access control flaw alone enables data exfiltration via the export page. ↗
- ·Affected versions are 1.2.0a3 through 1.2.17 inclusive; the fix was introduced in 1.2.18. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (1)
exploitdb·2014-11-18
CVE-2014-8598 Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (1)
Mantis Bug Tracker 1.2.0a3 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
'Description' => %q{
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
This version also suffers from another issue. The import page is not checking the correct user level
of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
Metasploit
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
metasploit
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed. The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier. This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine. This version also suffers from another issue. The import page is not checking the correct user level of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
Bugzilla
CVE-2014-7146 CVE-2014-8598 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release
bugzilla·2014-11-10·CVSS 7.5
CVE-2014-7146 [HIGH] CVE-2014-7146 CVE-2014-8598 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release
CVE-2014-7146 CVE-2014-8598 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release
CVE-2014-7146 was assigned to the following issue:
""
When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
""
CVE-2014-8598 was assigned to the following issues:
""
The XML Import/Export "official" plugin (i.e. bundled with MantisBT releases) currently does not perform any access level checks in the import and export pages. This leads to the following vulnerabilit
Bugzilla
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [fedora-all]
bugzilla·2014-11-10·CVSS 7.5
CVE-2014-8598 [HIGH] CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [fedora-all]
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NO
Bugzilla
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [epel-5]
bugzilla·2014-11-10·CVSS 7.5
CVE-2014-8598 [HIGH] CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [epel-5]
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
e
http://secunia.com/advisories/62101http://www.debian.org/security/2015/dsa-3120http://www.mantisbt.org/bugs/view.php?id=17780http://www.openwall.com/lists/oss-security/2014/11/07/28http://www.securityfocus.com/bid/70996https://exchange.xforce.ibmcloud.com/vulnerabilities/98573https://github.com/mantisbt/mantisbt/commit/80a15487http://secunia.com/advisories/62101http://www.debian.org/security/2015/dsa-3120http://www.mantisbt.org/bugs/view.php?id=17780http://www.openwall.com/lists/oss-security/2014/11/07/28http://www.securityfocus.com/bid/70996https://exchange.xforce.ibmcloud.com/vulnerabilities/98573https://github.com/mantisbt/mantisbt/commit/80a15487
2014-11-18
Published