0017823: CVE-2014-8554 - SQL injection vulnerability in SOAP API - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0017823	mantisbt	security	public	2014-10-30 14:06	2018-09-04 02:49

Reporter	grangeway	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	duplicate

Summary	0017823: CVE-2014-8554 - SQL injection vulnerability in SOAP API
Description	From 1dd9119a54efd7443b8519919f7624ccc6b8f5e9 Mon Sep 17 00:00:00 2001 Date: Sun, 19 Oct 2014 15:38:41 +0100 Subject: [PATCH 4/4] Fix possible SQL injection in SOAP api api/soap/mc_project_api.php \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php index 8e6aae9..227d957 100644 --- a/api/soap/mc_project_api.php +++ b/api/soap/mc_project_api.php @@ -684,7 +684,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) { } else { Select the specific project `$t_projects = array(` $p_project_id, (int)$p_project_id, ); }
Tags	No tags attached.

MantisBT: master-1.2.x 99ffb0af 2014-10-30 06:31 dregad Details Diff	SQL injection in mc_project_get_attachments() This is a follow-up on CVE-2014-1609 / issue 0016880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in 0016880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue 0017823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes 0017812, CVE-2014-8554	Affected Issues 0016880, 0017812, 0017823
	mod - api/soap/mc_project_api.php	Diff File
MantisBT: master 5faf97ab 2014-10-30 06:31 dregad Details Diff	SQL injection in mc_project_get_attachments() This is a follow-up on CVE-2014-1609 / issue 0016880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in 0016880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue 0017823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes 0017812, CVE-2014-8554	Affected Issues 0016880, 0017812, 0017823
	mod - api/soap/mc_project_api.php	Diff File

Select the specific project

dregad 2014-10-30 16:44 developer ~0041716	Hi Paul, Many thanks for that. I'm resolving this as duplicate of the other bug, and will reference the correct CVE ID after resolving the conflict with my own request for the same since we apparently did this in parallel.