Page 1 of 1
[website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 14:03
by abma
Today someone used
CVE-2017-7615 (which isn't even public yet) to reset the password of two users on the manits bugtracker. Sadly one account had admin rights and the user was used to delete the project "spring" in the mantis bugtracker. The db backup run a few hours ago, so some input possible is lost, which shouldn't be this much.
Very likely some attachments will be lost as the backup for them run ~24 hours ago, i'm recovering these currently.
Atm it looks like no passwords were stolen, just two accounts were reset:
I can only advice to change passwords at mantis and to not use the same password for multiple things!
sidenote: some pending changes to the front-page / media were applied
Re: [website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 15:09
by ThinkSome
Are passwords not stored properly hashed?
Re: [website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 15:17
by Kloot
The exploit allowed bypassing password hash verification altogether afaics.
Re: [website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 15:56
by abma
For details please wait until the CVE is public, thanks. Other mantis instances need time to patch, too.
ATM it seems that only password reset was possible. From what i've seen in the logs the attacker only tried to delete the project but did not change / steal data with the admin password he had. Not sure if thats possible at all.
Re: [website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 21:11
by abma
The CVE is public now.
Note: the official fix is different from the fix provided in the CVE, the official one should be prefered.
Official fix:
https://github.com/mantisbt/mantisbt/co ... aa284625f1
Re: [website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 21:29
by Forboding Angel
I've tried to explain before that this is why it's bad to use the same DB for multiple products. It creates multiple avenues of attack and only one product has to have a vulnerability. With that DB access he could have done a LOT more and that should scare the shit out of all of us.
DB access means mantis, forum, Site, wiki etc all laid bare. This is why you don't use a single database.
Anyway, thanks for sorting it out, sucks that this happened
Re: [website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 21:51
by Silentwings
Thanks for sorting it out!
Re: [website] springrts.com/mantis cracked
Posted: 16 Apr 2017, 21:53
by abma
Forboding Angel wrote:I've tried to explain before that this is why it's bad to use the same DB for multiple products. It creates multiple avenues of attack and only one product has to have a vulnerability. With that DB access he could have done a LOT more and that should scare the shit out of all of us.
DB access means mantis, forum, Site, wiki etc all laid bare. This is why you don't use a single database.
dbs for wiki/phpbb/mantis were split a long time ago. also less code = less security holes
Re: [website] springrts.com/mantis cracked
Posted: 17 Apr 2017, 10:15
by smoth
son of a b! I am sorry that happened!
Re: [website] springrts.com/mantis cracked
Posted: 17 Apr 2017, 13:56
by Forboding Angel
abma wrote:
dbs for wiki/phpbb/mantis were split a long time ago. also less code = less security holes
This is good to hear. All in one was just asking for trouble.