0017392: PHP Object injection issue in MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0017392	mantisbt	security	public	2014-05-28 14:17	2018-09-04 02:50

Reporter	muts	Assigned To	grangeway
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	duplicate
Product Version	1.2.17

Summary	0017392: PHP Object injection issue in MantisBT
Description	There's a PHP Object injection issue in MantisBT, in the function current_user_get_bug_filter (core\current_user_api.php line 212). The code loads a variable from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it straight into unserialize() on line 223. The current_user_get_bug_filter function is called in 10 places, easiest is just to access /view_filters_page.php. A PoC initializing a class that's loaded could look like this: /view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";}
Tags	No tags attached.

grangeway 2014-05-28 14:35 reporter ~0040666	Hi muts, We already in the process of fixing this we've both come across this internally / had a separate report of this issue. We'll be doing a security update release shortly to fix a batch of security related issues Paul

grangeway 2014-05-28 14:43 reporter ~0040667	Muts, and in fact, looking at your email address and the fact the other report we had with a bunch of issues (some of which were new, some of which I was already in the process of fixing already from looking for issues a week earlier) mentioned offensive security, I'm inclined to think you are reporting the same issues as one of your colleagues.

muts 2014-05-28 14:46 reporter ~0040668	Thanks Paul. This slew of bugs is a response to our bug bounty program at Offensive Security (http://www.offensive-security.com/bug-bounty-program/). Our Kali Linux bug tracker runs mantisBT, and is constantly under scrutiny (bugs.kali.org). I try to relay them as they come!