Package: mantis Version: 1.1.2+dfsg-6 Severity: grave Tags: security patch Hi, the following security issue was published for mantis. Quoting from http://www.milw0rm.com/exploits/6768:
| [-] vulnerable code in /manage_proj_page.php
|
| 32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and
stripslashed from $_GET['sort']
| 33. $f_dir = gpc_get_string( 'dir', 'ASC' );
|
| (...)
|
| 89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <===
and here is passed to multi_sort()
| 90. $t_stack = array( $t_projects );
|
| [-] multi_sort() function defined into /core/utility_api.php
|
| 185. # --------------------
| 186. # Sort a multi-dimensional array by one of its keys
| 187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) {
| 188. if ( DESCENDING == $p_direction ) {
| 189. $t_factor = -1;
| 190. } else {
| 191. # might as well allow everything else to mean ASC rather than
erroring
| 192. $t_factor = 1;
| 193. }
| 194.
| 195. $t_function = create_function( '$a, $b', "return $t_factor *
strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" );
| 196. uasort( $p_array, $t_function );
| 197. return $p_array;
| 198. }
|
| An attacker could be able to inject and execute PHP code through
$_GET['sort'], that is passed to create_function()
| at line 195 into multi_sort() function body. By default only registered users
can access to manage_proj_page.php
| (I've tested this on 1.1.3 version), because of this sometimes this PoC works
only with a valid account.
Upstream patch:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679
If you fix the vulnerability please also make sure to include a notice about
the security
issue in the changelog. There is no CVE id for this issue yet.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpovnGfnLx6S.pgp
Description: PGP signature
