0009704: Remote Code Execution in manage_proj_page.php - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0009704	mantisbt	security	public	2008-10-17 06:11	2015-04-10 10:37

Reporter	thosjo	Assigned To	giallu
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.1.3
Fixed in Version	1.1.4

Summary	0009704: Remote Code Execution in manage_proj_page.php
Description	FYI http://www.milw0rm.com/exploits/6768 [...] An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php [...]
Tags	No tags attached.

giallu 2008-10-17 06:40 reporter ~0019580	having a look here

giallu 2008-10-17 11:26 reporter ~0019582	Fixed in both 1.1 and 1.2 branches: http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5679&view=rev http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5680&view=rev

jreese 2008-10-20 08:44 reporter ~0019595	Note that certain follow-on patches are needed to fix this: 1.1.x: r5688, r5698 1.2.x: r5689, r5690

giallu 2008-10-23 09:38 reporter ~0019653	This is now known as CVE-2008-4687

vboctor 2008-11-28 15:31 manager ~0020101	Adding a related thread from the forum showing how a user got affected by this issue: http://www.mantisbt.org/forums/viewtopic.php?f=2&t=6344

MantisBT: master-1.1.x ced9305b 2008-10-17 11:10 giallu Details Diff	Fix 9704: (manage_proj_page.php) Remote Code Execution Exploit git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5679 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		Affected Issues 0009704
	mod - core/utility_api.php		Diff File
MantisBT: master 4e32f5ae 2008-10-17 11:11 giallu Details Diff	Fix 9704: (manage_proj_page.php) Remote Code Execution Exploit git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5680 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		Affected Issues 0009704
	mod - core/utility_api.php		Diff File
MantisBT: master 404f407e 2008-10-18 09:33 Paul Richards Details Diff	Fix previous commit: 1) array_key_exist does not exist - it is array_key_exists 2) array_key_exists only works on a single dimension array, so we use current()/is_array to search for the sort column in the array and ensure we have a multi-dimensional array. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5690 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		Affected Issues 0009704
	mod - lang/strings_english.txt		Diff File
	mod - core/utility_api.php		Diff File
	mod - core/constant_inc.php		Diff File
MantisBT: master-1.1.x 9f2d70ff 2008-10-20 08:44 jreese Details Diff	Port r5690 to 1.1.x to fix 0009704. Fix previous commit: 1) array_key_exist does not exist - it is array_key_exists 2) array_key_exists only works on a single dimension array, so we use current()/is_array to search for the sort column in the array and ensure we have a multi-dimensional array. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5698 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		Affected Issues 0009704
	mod - core/constant_inc.php		Diff File
	mod - lang/strings_english.txt		Diff File
	mod - core/utility_api.php		Diff File