View Issue Details

IDProjectCategoryView StatusLast Update
0023921mantisbtsecuritypublic2018-03-29 11:15
Reporterfoolandtom Assigned Todregad  
PrioritylowSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.11.0 
Target VersionFixed in Version 
Summary0023921: CVE-2018-6526: view_all_bug_page Leak path
Description

filter Parameter receiving values can cause site path leakage

url:https://mantisbt.org/bugs/view_all_bug_page.php?filter=1

file:view_all_bug_page.php

Steps To Reproduce

Leakage content:

APPLICATION ERROR

Argument 1 passed to filter_ensure_valid_filter() must be of the type array, string given, called in /srv/www/bugs/core/current_user_api.php on line 252
请使用浏览器的“返回”按钮来返回到上一页,这样您可以找到发生了什么问题或者进行别的操作;您也可以点击导航栏中的其它项。

url:https://mantisbt.org/bugs/view_all_bug_page.php?filter=1

Leaked path :/srv/www/bugs/core/current_user_api.php

Additional Information

The test site is: https://mantisbt.org/bugs/view_all_bug_page.php?filter=1

Direct copy of the address after logging in

TagsNo tags attached.

Relationships

related to 0023925 closedvboctor Site path leakage in error handler 

Activities

foolandtom

foolandtom

2018-02-01 22:15

reporter  

1517309582005.jpg (332,840 bytes)
atrol

atrol

2018-02-02 02:46

developer   ~0058706

Last edited: 2018-02-02 02:47

View 2 revisions

Removed version as the problem does not occur in in 2.10.0, but just latest code from master branch.

Seems to be caused by changing the error handler when introducing exceptions.

foolandtom

foolandtom

2018-02-02 03:46

reporter   ~0058712

yes

dregad

dregad

2018-02-02 05:59

developer   ~0058714

I'll push a fix shortly.

vboctor

vboctor

2018-02-04 03:29

manager   ~0058732

Removed fixed in version and target version so it doesn't show in changelog since this is a fix for a bug that wasn't released.

dregad

dregad

2018-03-29 11:15

developer   ~0059350

Looks like someone requested a CVE for this: https://nvd.nist.gov/vuln/detail/CVE-2018-6526

Unfortunately, they provided incorrect version information to the CNA, so the CVE is listed as affecting <= 2.10.0 which is incorrect.

Related Changesets

MantisBT: master de686a9e

2018-02-02 06:14:42

dregad

Details Diff
Fix PHP error - wrong argument type

Initialize $t_filter variable as array() instead of '' in
current_user_get_bug_filter(), to ensure its type is correct when
calling filter_ensure_valid_filter().

Fixes 0023921
Affected Issues
0023921
mod - core/current_user_api.php Diff File

Issue History

Date Modified Username Field Change
2018-02-01 22:15 foolandtom New Issue
2018-02-01 22:15 foolandtom File Added: 1517309582005.jpg
2018-02-02 01:58 atrol Category filters => security
2018-02-02 01:58 atrol View Status public => private
2018-02-02 02:46 atrol Status new => confirmed
2018-02-02 02:46 atrol Product Version 2.10.0 =>
2018-02-02 02:46 atrol Note Added: 0058706
2018-02-02 02:47 atrol Severity minor => major
2018-02-02 02:47 atrol Target Version => 2.11.0
2018-02-02 02:47 atrol Note Edited: 0058706 View Revisions
2018-02-02 03:46 foolandtom Note Added: 0058712
2018-02-02 05:59 dregad Assigned To => dregad
2018-02-02 05:59 dregad Status confirmed => assigned
2018-02-02 05:59 dregad Note Added: 0058714
2018-02-02 08:05 dregad Changeset attached => MantisBT master de686a9e
2018-02-02 08:05 dregad Status assigned => resolved
2018-02-02 08:05 dregad Resolution open => fixed
2018-02-02 08:05 dregad Fixed in Version => 2.11.0
2018-02-02 08:06 dregad Product Version => 2.11.0
2018-02-02 08:06 dregad View Status private => public
2018-02-02 15:16 atrol Relationship added related to 0023925
2018-02-04 03:29 vboctor Fixed in Version 2.11.0 =>
2018-02-04 03:29 vboctor Target Version 2.11.0 =>
2018-02-04 03:29 vboctor Note Added: 0058732
2018-02-06 21:17 vboctor Status resolved => closed
2018-03-29 11:15 dregad Summary view_all_bug_page Leak path => CVE-2018-6526: view_all_bug_page Leak path
2018-03-29 11:15 dregad Note Added: 0059350