Source Control Integration - MantisBT - Signup temporarily disabled due to spam

Author	Committer	Branch	Timestamp	Parent
dregad	dregad	master-1.2.x	2014-10-30 06:31	master-1.2.x 43c39d75
Affected Issues	0016880: CVE-2014-1609: SQL injection vulnerabilities
	0017812: CVE-2014-8554: SQL injection in SOAP API
	0017823: CVE-2014-8554 - SQL injection vulnerability in SOAP API
Changeset	SQL injection in mc_project_get_attachments() This is a follow-up on CVE-2014-1609 / issue 0016880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in 0016880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue 0017823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes 0017812, CVE-2014-8554
Changeset	mod - api/soap/mc_project_api.php			Diff File