CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
80.4%
According to its banner, the version of Mantis on the remote host fails to sanitize user-supplied input to the ‘g_db_type’ parameter of the ‘core/database_api.php’ script. Provided PHP’s ‘register_globals’ setting is enabled, an attacker may be able to exploit this to connect to arbitrary databases as well as scan for arbitrary open ports, even on an internal network. In addition, it is reportedly prone to multiple cross-site scripting issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(19473);
script_version("1.26");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2005-2556",
"CVE-2005-2557",
"CVE-2005-3090",
"CVE-2005-3091"
);
script_bugtraq_id(14604);
script_name(english:"Mantis < 1.0.0rc2 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
several flaws.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of Mantis on the remote host
fails to sanitize user-supplied input to the 'g_db_type' parameter of
the 'core/database_api.php' script. Provided PHP's 'register_globals'
setting is enabled, an attacker may be able to exploit this to connect
to arbitrary databases as well as scan for arbitrary open ports, even
on an internal network. In addition, it is reportedly prone to
multiple cross-site scripting issues.");
script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=112786017426276&w=2");
script_set_attribute(attribute:"solution", value:
"Upgrade to Mantis 1.0.0rc2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mantisbt:mantisbt");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");
script_dependencies("mantis_detect.nasl");
script_require_keys("installed_sw/MantisBT");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("install_func.inc");
port = get_http_port(default:80, embedded:TRUE);
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
if (!can_host_php(port:port))
audit(AUDIT_WRONG_WEB_SERVER, port, "one that supports PHP.");
app_name = "MantisBT";
install = get_single_install(app_name: app_name, port: port);
install_url = build_url(port:port, qs:install['path']);
version = install['version'];
dir = install['path'];
# Try to exploit one of the flaws.
req = http_get(
item:
dir + "/core/database_api.php?" +
# nb: request a bogus db driver.
"g_db_type=" + SCRIPT_NAME,
port:port
);
debug_print("req='", req, "'.");
res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
debug_print("res='", res, "'.");
if(res == NULL) audit(AUDIT_RESP_NOT, port, "a keepalive request");
# There's a problem if the requested driver file is missing.
#
# nb: this message occurs even with PHP's display_errors disabled.
if (
"Missing file: " >< res &&
"/adodb/drivers/adodb-" + SCRIPT_NAME + ".inc.php" >< res
) {
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
security_warning(port);
exit(0);
}
# If we're being paranoid...
if (report_paranoia > 1) {
# Check the version number since the XSS flaws occur independent of
# register_globals while the exploit above requires it be enabled.
if(ereg(pattern:"^(0\.19\.[0-3]|^1\.0\.0($|a[123]|rc1))", string:version)) {
report =
"\n" +
"***** Nessus has determined the vulnerability exists on the remote\n" +
"***** host simply by looking at the version number of Mantis\n" +
"***** installed there.\n" +
"\n";
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
security_warning(port:port, extra:report);
exit(0);
}
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, install_url);