Bug 1034333 (CVE-2017-7615) - VUL-0: CVE-2017-7615: mantis,mantisbt: password reset vulnerability
Summary: VUL-0: CVE-2017-7615: mantis,mantisbt: password reset vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-7615
Product: openSUSE.org
Classification: openSUSE
Component: 3rd party software (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical (vote)
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/183717/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-16 06:27 UTC by Andreas Stieger
Modified: 2017-04-17 08:16 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-04-16 06:27:53 UTC 
EMBARGOED via direct e-mail (not verified)
 
> We would like to inform you of a critical security issue, allowing a remote
> attacker to reset any user's password, on all MantisBT instances where user 
> signup or password reset are enabled, via a vulnerability in the Account 
> verification page (verify.php).
 
> MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. > The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released
> soon.
 
in verify.php:
 
locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):

    if( $f_confirm_hash != $t_token_confirm_hash ) {
 
change it to
 
    if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
 
You are strongly advised to patch your systems immediately.

Acknowledgment: John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org)
 

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7615
Comment 1 Andreas Stieger 2017-04-16 21:03:52 UTC 
Public at: http://seclists.org/oss-sec/2017/q2/74

A vulnerability exists in MantisBT where any users password can be reset:

Visiting /verify.php?id=XXX&confirm_hash=

where XXX is the userid of the user. id=1 is the default 'administrator' account if it still exists.

On a unpatched instance of mantisBT, this will provide a form to enter a new password for a user.

This works on any enabled account (including users with admin access) - providing an anonymous user with admin access 
to the system

The issue can be resolved by checking the value of $t_token_confirm_hash is not null in verify.php

i.e. changing the code to read:

if( $f_confirm_hash !== $t_token_confirm_hash || null === $t_token_confirm_hash ) {
        trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}


And http://seclists.org/oss-sec/2017/q2/75

The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be
released shortly.

Until then, all MantisBT administrators are advised to patch their
system immediately. Fixes are availble from our GitHub repository:

- 2.3.x https://github.com/mantisbt/mantisbt/commit/cfbc5e54
- 2.2.x https://github.com/mantisbt/mantisbt/commit/46880ef6
- 1.3.x https://github.com/mantisbt/mantisbt/commit/14c61a8c

MantisBT issue tracker reference:
https://mantisbt.org/bugs/view.php?id=22690