View Issue Details

IDProjectCategoryView StatusLast Update
0009704mantisbtsecuritypublic2015-04-10 10:37
Reporterthosjo Assigned Togiallu  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.1.3 
Fixed in Version1.1.4 
Summary0009704: Remote Code Execution in manage_proj_page.php
Description

FYI

http://www.milw0rm.com/exploits/6768

[...]
An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php

[...]

TagsNo tags attached.

Relationships

has duplicate 0009858 closedthraxisp Security problem - XSS attac possible in Mantis 1.1.2 
has duplicate 0010025 closedjreese Possible hacking attack 

Activities

giallu

giallu

2008-10-17 06:40

reporter   ~0019580

having a look here

giallu

giallu

2008-10-17 11:26

reporter   ~0019582

Fixed in both 1.1 and 1.2 branches:

http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5679&view=rev

http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5680&view=rev

jreese

jreese

2008-10-20 08:44

reporter   ~0019595

Note that certain follow-on patches are needed to fix this:

1.1.x: r5688, r5698

1.2.x: r5689, r5690

giallu

giallu

2008-10-23 09:38

reporter   ~0019653

This is now known as CVE-2008-4687

vboctor

vboctor

2008-11-28 15:31

manager   ~0020101

Adding a related thread from the forum showing how a user got affected by this issue:
http://www.mantisbt.org/forums/viewtopic.php?f=2&t=6344

Related Changesets

MantisBT: master-1.1.x ced9305b

2008-10-17 15:10:53

giallu

Details Diff
Fix 9704: (manage_proj_page.php) Remote Code Execution Exploit

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5679 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009704
mod - core/utility_api.php Diff File

MantisBT: master 4e32f5ae

2008-10-17 15:11:22

giallu

Details Diff
Fix 9704: (manage_proj_page.php) Remote Code Execution Exploit

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5680 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009704
mod - core/utility_api.php Diff File

MantisBT: master 404f407e

2008-10-18 13:33:17

Paul Richards

Details Diff
Fix previous commit:
1) array_key_exist does not exist - it is array_key_exists
2) array_key_exists only works on a single dimension array, so we use current()/is_array to search for the sort column in the array and ensure we have a multi-dimensional array.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5690 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009704
mod - lang/strings_english.txt Diff File
mod - core/utility_api.php Diff File
mod - core/constant_inc.php Diff File

MantisBT: master-1.1.x 9f2d70ff

2008-10-20 12:44:10

jreese

Details Diff
Port r5690 to 1.1.x to fix 0009704.
Fix previous commit:
1) array_key_exist does not exist - it is array_key_exists
2) array_key_exists only works on a single dimension array, so we use current()/is_array to search for the sort column in the array and ensure we have a multi-dimensional array.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5698 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009704
mod - core/constant_inc.php Diff File
mod - lang/strings_english.txt Diff File
mod - core/utility_api.php Diff File

Issue History

Date Modified Username Field Change
2008-10-17 06:11 thosjo New Issue
2008-10-17 06:40 giallu Note Added: 0019580
2008-10-17 11:26 giallu Note Added: 0019582
2008-10-17 11:26 giallu Status new => resolved
2008-10-17 11:26 giallu Fixed in Version => 1.1.4
2008-10-17 11:26 giallu Resolution open => fixed
2008-10-17 11:26 giallu Assigned To => giallu
2008-10-17 11:28 giallu Summary "Mantis Bug Tracker <= 1.1.3 (manage_proj_page.php) Remote Code Execution Exploit " => Remote Code Execution in manage_proj_page.php
2008-10-18 18:33 giallu View Status private => public
2008-10-18 18:33 giallu Status resolved => closed
2008-10-20 08:44 jreese Note Added: 0019595
2008-10-20 16:45 Changeset attached master 5e072bdf =>
2008-10-20 20:19 Changeset attached master-1.1.x fe0ae0c1 =>
2008-10-20 20:19 Changeset attached master-1.1.x 783c5f3d =>
2008-10-23 09:38 giallu Note Added: 0019653
2008-11-11 08:32 giallu Changeset attached master 4e32f5ae =>
2008-11-11 08:45 giallu Changeset attached master 4e32f5ae =>
2008-11-11 09:03 jreese Changeset attached master-1.1.x 9f2d70ff =>
2008-11-11 09:03 giallu Changeset attached master-1.1.x ced9305b =>
2008-11-19 11:11 thraxisp Relationship added has duplicate 0009858
2008-11-28 15:31 vboctor Note Added: 0020101
2009-01-07 13:55 jreese Relationship added has duplicate 0010025
2015-04-10 10:37 dregad Changeset attached => MantisBT master 404f407e