[website] springrts.com/mantis cracked

[website] springrts.com/mantis cracked

Happenin' news on what is happening in the community. Content releases, new tutorials, other cool stuff.
Post Reply
abma
Spring Developer
Posts: 3492
Joined: 01 Jun 2009, 00:08

[website] springrts.com/mantis cracked

Post by abma » 16 Apr 2017, 14:03

Today someone used CVE-2017-7615 (which isn't even public yet) to reset the password of two users on the manits bugtracker. Sadly one account had admin rights and the user was used to delete the project "spring" in the mantis bugtracker. The db backup run a few hours ago, so some input possible is lost, which shouldn't be this much.

Very likely some attachments will be lost as the backup for them run ~24 hours ago, i'm recovering these currently.


Atm it looks like no passwords were stolen, just two accounts were reset:

I can only advice to change passwords at mantis and to not use the same password for multiple things!

sidenote: some pending changes to the front-page / media were applied
1 x

User avatar
ThinkSome
Posts: 216
Joined: 14 Jun 2015, 13:36

Re: [website] springrts.com/mantis cracked

Post by ThinkSome » 16 Apr 2017, 15:09

Are passwords not stored properly hashed?
0 x

Kloot
Spring Developer
Posts: 1829
Joined: 08 Oct 2006, 16:58

Re: [website] springrts.com/mantis cracked

Post by Kloot » 16 Apr 2017, 15:17

The exploit allowed bypassing password hash verification altogether afaics.
1 x

abma
Spring Developer
Posts: 3492
Joined: 01 Jun 2009, 00:08

Re: [website] springrts.com/mantis cracked

Post by abma » 16 Apr 2017, 15:56

For details please wait until the CVE is public, thanks. Other mantis instances need time to patch, too.

ATM it seems that only password reset was possible. From what i've seen in the logs the attacker only tried to delete the project but did not change / steal data with the admin password he had. Not sure if thats possible at all.
0 x

abma
Spring Developer
Posts: 3492
Joined: 01 Jun 2009, 00:08

Re: [website] springrts.com/mantis cracked

Post by abma » 16 Apr 2017, 21:11

The CVE is public now.

Note: the official fix is different from the fix provided in the CVE, the official one should be prefered.

Official fix:
https://github.com/mantisbt/mantisbt/co ... aa284625f1
0 x

User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14392
Joined: 17 Nov 2005, 02:43

Re: [website] springrts.com/mantis cracked

Post by Forboding Angel » 16 Apr 2017, 21:29

I've tried to explain before that this is why it's bad to use the same DB for multiple products. It creates multiple avenues of attack and only one product has to have a vulnerability. With that DB access he could have done a LOT more and that should scare the shit out of all of us.

DB access means mantis, forum, Site, wiki etc all laid bare. This is why you don't use a single database.

Anyway, thanks for sorting it out, sucks that this happened :-(
0 x

User avatar
Silentwings
Moderator
Posts: 3420
Joined: 25 Oct 2008, 00:23

Re: [website] springrts.com/mantis cracked

Post by Silentwings » 16 Apr 2017, 21:51

Thanks for sorting it out!
1 x

abma
Spring Developer
Posts: 3492
Joined: 01 Jun 2009, 00:08

Re: [website] springrts.com/mantis cracked

Post by abma » 16 Apr 2017, 21:53

Forboding Angel wrote:I've tried to explain before that this is why it's bad to use the same DB for multiple products. It creates multiple avenues of attack and only one product has to have a vulnerability. With that DB access he could have done a LOT more and that should scare the shit out of all of us.

DB access means mantis, forum, Site, wiki etc all laid bare. This is why you don't use a single database.
dbs for wiki/phpbb/mantis were split a long time ago. also less code = less security holes :wink:
0 x

User avatar
smoth
Posts: 22295
Joined: 13 Jan 2005, 00:46

Re: [website] springrts.com/mantis cracked

Post by smoth » 17 Apr 2017, 10:15

son of a b! I am sorry that happened!
0 x

User avatar
Forboding Angel
Evolution RTS Developer
Posts: 14392
Joined: 17 Nov 2005, 02:43

Re: [website] springrts.com/mantis cracked

Post by Forboding Angel » 17 Apr 2017, 13:56

abma wrote: dbs for wiki/phpbb/mantis were split a long time ago. also less code = less security holes :wink:
This is good to hear. All in one was just asking for trouble.
0 x

Post Reply

Return to “Community Blog”