[website] springrts.com/mantis cracked

[website] springrts.com/mantis cracked

Happenin' news on what is happening in the community. Content releases, new tutorials, other cool stuff.
Post Reply
abma
Spring Developer
Posts: 3567
Joined: 01 Jun 2009, 00:08

[website] springrts.com/mantis cracked

Post by abma »

Today someone used CVE-2017-7615 (which isn't even public yet) to reset the password of two users on the manits bugtracker. Sadly one account had admin rights and the user was used to delete the project "spring" in the mantis bugtracker. The db backup run a few hours ago, so some input possible is lost, which shouldn't be this much.

Very likely some attachments will be lost as the backup for them run ~24 hours ago, i'm recovering these currently.


Atm it looks like no passwords were stolen, just two accounts were reset:

I can only advice to change passwords at mantis and to not use the same password for multiple things!

sidenote: some pending changes to the front-page / media were applied
1 x

User avatar
ThinkSome
Posts: 297
Joined: 14 Jun 2015, 13:36

Re: [website] springrts.com/mantis cracked

Post by ThinkSome »

Are passwords not stored properly hashed?
0 x

Kloot
Spring Developer
Posts: 1865
Joined: 08 Oct 2006, 16:58

Re: [website] springrts.com/mantis cracked

Post by Kloot »

The exploit allowed bypassing password hash verification altogether afaics.
1 x

abma
Spring Developer
Posts: 3567
Joined: 01 Jun 2009, 00:08

Re: [website] springrts.com/mantis cracked

Post by abma »

For details please wait until the CVE is public, thanks. Other mantis instances need time to patch, too.

ATM it seems that only password reset was possible. From what i've seen in the logs the attacker only tried to delete the project but did not change / steal data with the admin password he had. Not sure if thats possible at all.
0 x

abma
Spring Developer
Posts: 3567
Joined: 01 Jun 2009, 00:08

Re: [website] springrts.com/mantis cracked

Post by abma »

The CVE is public now.

Note: the official fix is different from the fix provided in the CVE, the official one should be prefered.

Official fix:
https://github.com/mantisbt/mantisbt/co ... aa284625f1
0 x

User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14616
Joined: 17 Nov 2005, 02:43

Re: [website] springrts.com/mantis cracked

Post by Forboding Angel »

I've tried to explain before that this is why it's bad to use the same DB for multiple products. It creates multiple avenues of attack and only one product has to have a vulnerability. With that DB access he could have done a LOT more and that should scare the shit out of all of us.

DB access means mantis, forum, Site, wiki etc all laid bare. This is why you don't use a single database.

Anyway, thanks for sorting it out, sucks that this happened :-(
0 x

User avatar
Silentwings
Moderator
Posts: 3613
Joined: 25 Oct 2008, 00:23

Re: [website] springrts.com/mantis cracked

Post by Silentwings »

Thanks for sorting it out!
1 x

abma
Spring Developer
Posts: 3567
Joined: 01 Jun 2009, 00:08

Re: [website] springrts.com/mantis cracked

Post by abma »

Forboding Angel wrote:I've tried to explain before that this is why it's bad to use the same DB for multiple products. It creates multiple avenues of attack and only one product has to have a vulnerability. With that DB access he could have done a LOT more and that should scare the shit out of all of us.

DB access means mantis, forum, Site, wiki etc all laid bare. This is why you don't use a single database.
dbs for wiki/phpbb/mantis were split a long time ago. also less code = less security holes :wink:
0 x

User avatar
smoth
Posts: 22300
Joined: 13 Jan 2005, 00:46

Re: [website] springrts.com/mantis cracked

Post by smoth »

son of a b! I am sorry that happened!
0 x

User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14616
Joined: 17 Nov 2005, 02:43

Re: [website] springrts.com/mantis cracked

Post by Forboding Angel »

abma wrote: dbs for wiki/phpbb/mantis were split a long time ago. also less code = less security holes :wink:
This is good to hear. All in one was just asking for trouble.
0 x

Post Reply

Return to “Community Blog”

cron