MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability

Title: MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability
Advisory ID: ZSL-2010-4984
Type: Local
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 15.12.2010
Summary
MantisBT is a free popular web-based bugtracking system. It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver. MantisBT has been installed on Windows, Linux, Mac OS, OS/2, and others. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).
Description
Mantis Bug Tracker suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the "db_type" parameter (GET & POST) to upgrade_unattended.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

--------------------------------------------------------------------------------

--> library/adodb/adodb.inc.php

...

4109:
4110: $file = ADODB_DIR."/drivers/adodb-".$db.".inc.php";
4111: @include_once($file);

...

--------------------------------------------------------------------------------

Vendor
MantisBT Group - http://www.mantisbt.org
Affected Version
<1.2.4
Tested On
Microsoft Windows XP Professional SP3 (English)
Debian GNU/Linux (squeeze)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1
Vendor Status
[13.12.2010] Vulnerability discovered.
[13.12.2010] Initial contact with the vendor.
[13.12.2010] Vendor responds asking more details.
[13.12.2010] Sent PoC files to the vendor.
[14.12.2010] Vendor confirms the issue.
[15.12.2010] Vendor releases version 1.2.4 to address this issue (+Comment: Delete the "admin" directory after installation).
[15.12.2010] Coordinated public advisory released.
PoC
mantis_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.mantisbt.org/bugs/view.php?id=12607
[2] http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.4
[3] http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=2641fdc60d2032ae1586338d6416e1eadabd7590
[4] http://www.mantisbt.org/blog/?p=123
[5] http://bugs.gentoo.org/show_bug.cgi?id=348761
[6] https://bugzilla.redhat.com/show_bug.cgi?id=663230
[7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159
[8] https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482
[9] http://www.exploit-db.com/exploits/15736/
[10] http://www.exploit-db.com/ghdb/3651/
[11] http://secunia.com/advisories/42597/
[12] http://www.securityfocus.com/bid/45399
[13] http://securityreason.com/wlb_show/WLB-2010120069
[14] http://xforce.iss.net/xforce/xfdb/64071
[15] http://packetstormsecurity.org/files/96733
[16] http://osvdb.org/show/osvdb/70157
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4350
[18] http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052730.html
[19] http://www.vupen.com/english/advisories/2011/0002
[20] http://lwn.net/Vulnerabilities/421455/
[21] http://www.nessus.org/plugins/index.php?view=single&id=51359
Changelog
[15.12.2010] - Initial release
[16.12.2010] - Added reference [13] and [14]
[17.12.2010] - Added reference [15]
[30.12.2010] - Added reference [16] and [17]
[05.01.2011] - Added reference [18] and [19]
[06.01.2011] - Added reference [20]
[06.03.2011] - Added reference [21]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk