Package: mantis Version: 1.1.2+dfsg-6 Severity: grave Tags: security patch Hi, the following security issue was published for mantis. Quoting from http://www.milw0rm.com/exploits/6768:
| [-] vulnerable code in /manage_proj_page.php | | 32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and stripslashed from $_GET['sort'] | 33. $f_dir = gpc_get_string( 'dir', 'ASC' ); | | (...) | | 89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <=== and here is passed to multi_sort() | 90. $t_stack = array( $t_projects ); | | [-] multi_sort() function defined into /core/utility_api.php | | 185. # -------------------- | 186. # Sort a multi-dimensional array by one of its keys | 187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) { | 188. if ( DESCENDING == $p_direction ) { | 189. $t_factor = -1; | 190. } else { | 191. # might as well allow everything else to mean ASC rather than erroring | 192. $t_factor = 1; | 193. } | 194. | 195. $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" ); | 196. uasort( $p_array, $t_function ); | 197. return $p_array; | 198. } | | An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() | at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php | (I've tested this on 1.1.3 version), because of this sometimes this PoC works only with a valid account. Upstream patch: http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679 If you fix the vulnerability please also make sure to include a notice about the security issue in the changelog. There is no CVE id for this issue yet. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpovnGfnLx6S.pgp
Description: PGP signature