From 80a15487cda89afb00ce866da8e24d76808dcdb4 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 17 Oct 2014 17:21:25 +0200
Subject: [PATCH] XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue #17725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes #17780 (CVE-2014-8598)
---
 plugins/XmlImportExport/XmlImportExport.php      | 16 +++++++-
 plugins/XmlImportExport/lang/strings_english.txt |  7 ++++
 plugins/XmlImportExport/pages/config.php         | 27 +++++++++++++
 plugins/XmlImportExport/pages/config_page.php    | 48 ++++++++++++++++++++++++
 plugins/XmlImportExport/pages/export.php         |  2 +
 plugins/XmlImportExport/pages/import.php         |  2 +
 6 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 plugins/XmlImportExport/pages/config.php
 create mode 100644 plugins/XmlImportExport/pages/config_page.php

diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php
index 63e254e..20ea3c2 100644
--- a/plugins/XmlImportExport/XmlImportExport.php
+++ b/plugins/XmlImportExport/XmlImportExport.php
@@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin {
 	function register( ) {
 		$this->name = plugin_lang_get( 'title' );
 		$this->description = plugin_lang_get( 'description' );
-		$this->page = '';
+		$this->page = "config_page";
 
 		$this->version = '1.0';
 		$this->requires = array(
@@ -54,6 +54,17 @@ function register( ) {
 	/**
 	 * Default plugin configuration.
 	 */
+	public function config() {
+		return array(
+			"import_threshold" => ADMINISTRATOR,
+			"export_threshold" => DEVELOPER,
+		);
+	}
+
+	/**
+	 * Plugin hooks
+	 * @return array
+	 */
 	function hooks( ) {
 		$hooks = array(
 			'EVENT_MENU_MANAGE' => 'import_issues_menu',
@@ -67,6 +78,9 @@ function import_issues_menu( ) {
 	}
 
 	function export_issues_menu( ) {
+		if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) {
+			return array();
+		}
 		return array( '<a href="' . plugin_page( 'export' ) . '">' . plugin_lang_get( 'export' ) . '</a>', );
 	}
 
diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt
index 775ad76..e595228 100644
--- a/plugins/XmlImportExport/lang/strings_english.txt
+++ b/plugins/XmlImportExport/lang/strings_english.txt
@@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi
 $s_plugin_XmlImportExport_import = 'Import issues';
 $s_plugin_XmlImportExport_export = 'XML Export';
 
+$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration';
+$s_plugin_XmlImportExport_import_threshold = 'Import issues';
+$s_plugin_XmlImportExport_export_threshold = 'Export issues';
+
+$s_plugin_XmlImportExport_action_update = 'Update';
+
 $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:';
+
 $s_plugin_XmlImportExport_import_options = 'Import options';
 
 $s_plugin_XmlImportExport_cross_references = 'Cross references';
diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php
new file mode 100644
index 0000000..19587c8
--- /dev/null
+++ b/plugins/XmlImportExport/pages/config.php
@@ -0,0 +1,27 @@
+<?php
+# Copyright (c) 2014  MantisBT Team - mantisbt-dev@lists.sourceforge.net
+# Licensed under the MIT license
+
+form_security_validate( 'plugin_XmlImportExport_config' );
+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
+
+/**
+ * Sets plugin config option if value is different from current/default
+ * @param string $p_name  option name
+ * @param string $p_value value to set
+ * @return void
+ */
+function config_set_if_needed( $p_name, $p_value ) {
+	if ( $p_value != plugin_config_get( $p_name ) ) {
+		plugin_config_set( $p_name, $p_value );
+	}
+}
+
+$t_redirect_url = plugin_page( 'config_page', true );
+
+config_set_if_needed( 'import_threshold' , gpc_get_int( 'import_threshold' ) );
+config_set_if_needed( 'export_threshold' , gpc_get_int( 'export_threshold' ) );
+
+form_security_purge( 'plugin_XmlImportExport_config' );
+
+print_successful_redirect( $t_redirect_url );
diff --git a/plugins/XmlImportExport/pages/config_page.php b/plugins/XmlImportExport/pages/config_page.php
new file mode 100644
index 0000000..7c678af
--- /dev/null
+++ b/plugins/XmlImportExport/pages/config_page.php
@@ -0,0 +1,48 @@
+<?php
+# Copyright (c) 2014  MantisBT Team - mantisbt-dev@lists.sourceforge.net
+# Licensed under the MIT license
+
+access_ensure_global_level( config_get( 'manage_plugin_threshold' ) );
+
+html_page_top();
+//print_manage_menu();
+?>
+
+<br />
+<form action="<?php echo plugin_page( 'config' ) ?>" method="post">
+<?php echo form_security_field( 'plugin_XmlImportExport_config' ) ?>
+<table class="width60" align="center">
+
+<tr>
+<td class="form-title" colspan="2"><?php echo plugin_lang_get("config_title") ?></td>
+</tr>
+
+<tr <?php echo helper_alternate_class() ?>>
+<td class="category"><?php echo plugin_lang_get( 'import_threshold' ) ?></td>
+<td><select name="import_threshold"><?php
+	print_enum_string_option_list(
+		'access_levels',
+		plugin_config_get( 'import_threshold' )
+	);
+	?></select></td>
+</tr>
+
+<tr <?php echo helper_alternate_class() ?>>
+<td class="category"><?php echo plugin_lang_get( 'export_threshold' ) ?></td>
+<td><select name="export_threshold"><?php
+	print_enum_string_option_list(
+		'access_levels',
+		plugin_config_get( 'export_threshold' )
+	);
+	?></select></td>
+</tr>
+
+<tr>
+<td class="center" colspan="2"><input type="submit" value="<?php echo plugin_lang_get("action_update") ?>"/></td>
+</tr>
+
+</table>
+</form>
+
+<?php
+html_page_bottom();
diff --git a/plugins/XmlImportExport/pages/export.php b/plugins/XmlImportExport/pages/export.php
index 061b135..aac3bbf 100644
--- a/plugins/XmlImportExport/pages/export.php
+++ b/plugins/XmlImportExport/pages/export.php
@@ -20,6 +20,8 @@
 
 require_once( 'core.php' );
 
+access_ensure_project_level( plugin_config_get( 'export_threshold' ) );
+
 auth_ensure_user_authenticated( );
 helper_begin_long_process( );
 
diff --git a/plugins/XmlImportExport/pages/import.php b/plugins/XmlImportExport/pages/import.php
index cd7721f..6740727 100644
--- a/plugins/XmlImportExport/pages/import.php
+++ b/plugins/XmlImportExport/pages/import.php
@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
 
+access_ensure_project_level( plugin_config_get( 'import_threshold' ) );
+
 auth_reauthenticate( );
 
 html_page_top( plugin_lang_get( 'import' ) );