oCERT-2014-001 MantisBT input sanitization errors

Description:

The MantisBT web-based bugtracking system suffers from SQL injection vulnerabilities caused by insufficient input sanitization.

The MantisBT SOAP API uses the unsafe db_query() function allowing a specially crafted tag within the envelope of a mc_issue_attachment_get SOAP request to inject arbitrary SQL queries.

The reporting of this specific issue was followed by an investigation that lead to additional cases of unsafe db_query() function use, being found by MantisBT maintainers, throughout MantisBT code.

Affected version:

MantisBT >= 1.1.0a4, <= 1.2.15

Fixed version:

MantisBT >= 1.2.16

Credit: vulnerability report received from Martin Herfurt <martin.herfurt AT nruns.com>.

CVE: CVE-2014-1608 (SOAP), CVE-2014-1609 (additional SQL injections)

Timeline:

2014-01-17: vulnerability report received
2014-01-17: contacted MantisBT maintainer
2014-01-17: maintainer provides patch for review
2014-01-18: contacted affected vendors
2014-01-19: assigned CVEs
2014-02-08: MantisBT 1.2.16 released
2014-02-08: advisory release

References:
http://www.mantisbt.org
http://www.mantisbt.org/bugs/view.php?id=16879
http://www.mantisbt.org/bugs/view.php?id=16880
http://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102
http://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f