From 80a15487cda89afb00ce866da8e24d76808dcdb4 Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Fri, 17 Oct 2014 17:21:25 +0200 Subject: [PATCH] XML plugin: Add config page with access thresholds Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue #17725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes #17780 (CVE-2014-8598) --- plugins/XmlImportExport/XmlImportExport.php | 16 +++++++- plugins/XmlImportExport/lang/strings_english.txt | 7 ++++ plugins/XmlImportExport/pages/config.php | 27 +++++++++++++ plugins/XmlImportExport/pages/config_page.php | 48 ++++++++++++++++++++++++ plugins/XmlImportExport/pages/export.php | 2 + plugins/XmlImportExport/pages/import.php | 2 + 6 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 plugins/XmlImportExport/pages/config.php create mode 100644 plugins/XmlImportExport/pages/config_page.php diff --git a/plugins/XmlImportExport/XmlImportExport.php b/plugins/XmlImportExport/XmlImportExport.php index 63e254e..20ea3c2 100644 --- a/plugins/XmlImportExport/XmlImportExport.php +++ b/plugins/XmlImportExport/XmlImportExport.php @@ -39,7 +39,7 @@ class XmlImportExportPlugin extends MantisPlugin { function register( ) { $this->name = plugin_lang_get( 'title' ); $this->description = plugin_lang_get( 'description' ); - $this->page = ''; + $this->page = "config_page"; $this->version = '1.0'; $this->requires = array( @@ -54,6 +54,17 @@ function register( ) { /** * Default plugin configuration. */ + public function config() { + return array( + "import_threshold" => ADMINISTRATOR, + "export_threshold" => DEVELOPER, + ); + } + + /** + * Plugin hooks + * @return array + */ function hooks( ) { $hooks = array( 'EVENT_MENU_MANAGE' => 'import_issues_menu', @@ -67,6 +78,9 @@ function import_issues_menu( ) { } function export_issues_menu( ) { + if( !access_has_project_level( plugin_config_get( 'export_threshold' ) ) ) { + return array(); + } return array( '' . plugin_lang_get( 'export' ) . '', ); } diff --git a/plugins/XmlImportExport/lang/strings_english.txt b/plugins/XmlImportExport/lang/strings_english.txt index 775ad76..e595228 100644 --- a/plugins/XmlImportExport/lang/strings_english.txt +++ b/plugins/XmlImportExport/lang/strings_english.txt @@ -35,7 +35,14 @@ $s_plugin_XmlImportExport_description = 'Adds XML based import and export capabi $s_plugin_XmlImportExport_import = 'Import issues'; $s_plugin_XmlImportExport_export = 'XML Export'; +$s_plugin_XmlImportExport_config_title = 'XML Import/Export Access Levels Configuration'; +$s_plugin_XmlImportExport_import_threshold = 'Import issues'; +$s_plugin_XmlImportExport_export_threshold = 'Export issues'; + +$s_plugin_XmlImportExport_action_update = 'Update'; + $s_plugin_XmlImportExport_importing_in_project = 'Importing issues in project:'; + $s_plugin_XmlImportExport_import_options = 'Import options'; $s_plugin_XmlImportExport_cross_references = 'Cross references'; diff --git a/plugins/XmlImportExport/pages/config.php b/plugins/XmlImportExport/pages/config.php new file mode 100644 index 0000000..19587c8 --- /dev/null +++ b/plugins/XmlImportExport/pages/config.php @@ -0,0 +1,27 @@ + + +
+
+ + + + + + + +> + + + + +> + + + + + + + + +
"/>
+
+ +. +access_ensure_project_level( plugin_config_get( 'import_threshold' ) ); + auth_reauthenticate( ); html_page_top( plugin_lang_get( 'import' ) );