From bc5078a09cd91ae31738628e3be52554f03841fb Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Thu, 30 Oct 2014 15:31:36 +0100
Subject: [PATCH] CVE-2014-XXXX: SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue #16880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in #16880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

This patches fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes #17812
---
 api/soap/mc_project_api.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
index 252e31b..c50c947 100644
--- a/api/soap/mc_project_api.php
+++ b/api/soap/mc_project_api.php
@@ -680,6 +680,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
 		return mci_soap_fault_login_failed();
 	}
 
+	$p_project_id = (int)$p_project_id;
 	$g_project_override = $p_project_id;
 
 	# Check if project documentation feature is enabled.
-- 
2.1.1