View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027351 | mantisbt | bugtracker | public | 2020-09-26 06:44 | 2020-12-30 07:30 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | normal | Severity | feature | Reproducibility | always |
Status | assigned | Resolution | open | ||
Platform | Windows | OS | Windows | OS Version | Windows |
Product Version | 2.24.3 | ||||
Summary | 0027351: Prevent updating Issue with invalid values for ETA and Projection | ||||
Description | Apologize for the summary I am not sure for that one but If I am correct I also read the same issues (where someting about SQL syntax and prints I am just playing with the config (and I am looking for the config to turn on the repository but no luck) If I am not mistaken I read some issues where it prints This | ||||
Steps To Reproduce |
Request
Response
Exploit
Exploit request
Exploit response
| ||||
Additional Information | In case you need a PoC please mention it (can't upload attachment due to internet issue..) | ||||
Tags | No tags attached. | ||||
Hello ! I didn't notice the If the case is I shouldn't open My payload here is |
|
The display of I am not able to reproduce your @32767@ scenario; when a value bigger than max for smallint type, I get a MySQL error 1264: Out of range value for column 'eta' . As it stands I wouldn't consider this as a bug.. |
|
I don't edit the |
|
This one I don't consider as a security issue, as the only impact is storing some data that cannot be rendered by Mantis. Nevertheless, I will implement a fix to prevent updating the Issue record with ETA data that is not defined in the enum string; an error message will be thrown in this case. |
|
There was some argument from @vboctor during code review:
Considering the above, and the fact that this is not really a security issue, although it could introduce data inconsistency (but that is quite visible in the UI as the invalid entries are shown as |
|
MantisBT: master e5a44f81 2020-12-28 14:22 Details Diff |
BugData::_set() handle eta as int The eta field was not included in the switch, so was dealt with by the default case and treated as string while it is in fact an enum and should be handled as int. Issue 0027351 |
Affected Issues 0027351 |
|
mod - core/bug_api.php | Diff File |