Your message dated Mon, 20 Oct 2008 12:32:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#502728: fixed in mantis 1.1.2+dfsg-7
has caused the Debian Bug report #502728,
regarding mantis: remote code execution for registered users
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
502728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502728
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mantis
Version: 1.1.2+dfsg-6
Severity: grave
Tags: security patch
Hi,
the following security issue was published for mantis.
Quoting from http://www.milw0rm.com/exploits/6768:
| [-] vulnerable code in /manage_proj_page.php
|
| 32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and
stripslashed from $_GET['sort']
| 33. $f_dir = gpc_get_string( 'dir', 'ASC' );
|
| (...)
|
| 89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <===
and here is passed to multi_sort()
| 90. $t_stack = array( $t_projects );
|
| [-] multi_sort() function defined into /core/utility_api.php
|
| 185. # --------------------
| 186. # Sort a multi-dimensional array by one of its keys
| 187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) {
| 188. if ( DESCENDING == $p_direction ) {
| 189. $t_factor = -1;
| 190. } else {
| 191. # might as well allow everything else to mean ASC rather than
erroring
| 192. $t_factor = 1;
| 193. }
| 194.
| 195. $t_function = create_function( '$a, $b', "return $t_factor *
strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" );
| 196. uasort( $p_array, $t_function );
| 197. return $p_array;
| 198. }
|
| An attacker could be able to inject and execute PHP code through
$_GET['sort'], that is passed to create_function()
| at line 195 into multi_sort() function body. By default only registered users
can access to manage_proj_page.php
| (I've tested this on 1.1.3 version), because of this sometimes this PoC works
only with a valid account.
Upstream patch:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679
If you fix the vulnerability please also make sure to include a notice about
the security
issue in the changelog. There is no CVE id for this issue yet.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpcGNYhMvb94.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mantis
Source-Version: 1.1.2+dfsg-7
We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:
mantis_1.1.2+dfsg-7.diff.gz
to pool/main/m/mantis/mantis_1.1.2+dfsg-7.diff.gz
mantis_1.1.2+dfsg-7.dsc
to pool/main/m/mantis/mantis_1.1.2+dfsg-7.dsc
mantis_1.1.2+dfsg-7_all.deb
to pool/main/m/mantis/mantis_1.1.2+dfsg-7_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Schoenfeld <[EMAIL PROTECTED]> (supplier of updated mantis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 20 Oct 2008 12:56:15 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.1.2+dfsg-7
Distribution: unstable
Urgency: high
Maintainer: Patrick Schoenfeld <[EMAIL PROTECTED]>
Changed-By: Patrick Schoenfeld <[EMAIL PROTECTED]>
Description:
mantis - web-based bug tracking system
Closes: 502728
Changes:
mantis (1.1.2+dfsg-7) unstable; urgency=high
.
* Urgency high because it fixes a security issue
* Added a fix for remote code execution vulnerability that can be triggered
by registered users (Closes: #502728)
Checksums-Sha1:
32b986d36f697b7ac8d1bf6da89dbb826b28a52a 1184 mantis_1.1.2+dfsg-7.dsc
fb08eaf4c0fc468d8bbc9c6f7205b2fa5068e182 44746 mantis_1.1.2+dfsg-7.diff.gz
db8635829ae1bd727076340574b8c24c94aa8d59 1857456 mantis_1.1.2+dfsg-7_all.deb
Checksums-Sha256:
30940ce1658e396fee8a24dd5167fc309ed91229765201951df1cd646ceef104 1184
mantis_1.1.2+dfsg-7.dsc
b4024dbbbea0461ceddfe6d7945be2eb3f05fb0f19e560f3f2834cb88eb318ee 44746
mantis_1.1.2+dfsg-7.diff.gz
a3487ed999f3130d75a79463e1834f66894ba643e90323c6d22d633fdbcf077a 1857456
mantis_1.1.2+dfsg-7_all.deb
Files:
7d4c7cc4054122ab97638da8bbd89d4d 1184 web optional mantis_1.1.2+dfsg-7.dsc
8880a3f48bdb2b22815b6d1a71ec5f8b 44746 web optional mantis_1.1.2+dfsg-7.diff.gz
f8252129e3da9be7b715f43d7cd9b871 1857456 web optional
mantis_1.1.2+dfsg-7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj8d9gACgkQbdB4RPTVesqoBACeO2Ku4so/NzVASHZ6P7Bh3kye
LZEAn1aBkYVXPEIJMrzeHU0tIVBsLYn6
=Km6a
-----END PGP SIGNATURE-----
--- End Message ---
