View Issue Details

IDProjectCategoryView StatusLast Update
0016880mantisbtsecuritypublic2014-11-01 19:40
Reporterdregad Assigned Todregad  
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016880: CVE-2014-1609: SQL injection vulnerabilities
Description

Following root cause analysis for 0016879, additional uses of db_query() instead of db_query_bound() were discovered, which could potentially lead to SQL injection exploits.

TagsNo tags attached.

Relationships

related to 0016879 closeddregad CVE-2014-1608: soap:Envelope SQL injection attack 
related to 0016898 closeddregad Dropping deprecated database API function db_query() 
related to 0016940 closeddregad undefined function db_params() in core/news_api.php 
related to 0017812 closeddregad CVE-2014-8554: SQL injection in SOAP API 

Activities

atrol

atrol

2014-01-27 16:00

developer   ~0039201

This commit introduces a regression in graph plugin.
You get the following error on summary page when selecting graphs by priority, severity or resolution

Database query failed. Error received from database was 0001064: You have an error in your SQL syntax;

dregad

dregad

2014-01-28 05:07

developer   ~0039211

Paul missed a couple replacement of db_query() by db_query_bound() - fixed that, and sorry for sloppy testing before pushing the changes

dregad

dregad

2014-02-08 16:47

developer   ~0039354

Can't believe this patch introduced three regressions :-o

sloppy coding
sloppy testing

:-(

Related Changesets

MantisBT: master-1.2.x 7efe0175

2014-01-17 11:24

Paul Richards

Committer: dregad


Details Diff
Fix CVE-2014-1609: SQL injection vulnerabilities

Additional cases of db_query() instead of db_query_bound() usage,
potentially allowing SQL injection attacks due to unsanitized use of
parameters within the query.

This includes vboctor's 2 comments.

Fixes 0016880

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Conflicts:
admin/db_stats.php
plugins/MantisGraph/pages/bug_graph_bycategory.php
plugins/MantisGraph/pages/bug_graph_bystatus.php
proj_doc_page.php
Affected Issues
0016880
mod - admin/db_stats.php Diff File
mod - api/soap/mc_project_api.php Diff File
mod - core/news_api.php Diff File
mod - core/summary_api.php Diff File
mod - plugins/MantisGraph/core/graph_api.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php Diff File
mod - proj_doc_page.php Diff File

MantisBT: master 7d768276

2014-01-17 11:24

Paul Richards

Committer: dregad


Details Diff
Fix CVE-2014-1609: SQL injection vulnerabilities

Additional cases of db_query() instead of db_query_bound() usage,
potentially allowing SQL injection attacks due to unsanitized use of
parameters within the query.

This includes vboctor's 2 comments.

Fixes 0016880

Signed-off-by: Damien Regad <dregad@mantisbt.org>
Affected Issues
0016880
mod - admin/db_stats.php Diff File
mod - api/soap/mc_project_api.php Diff File
mod - core/news_api.php Diff File
mod - core/summary_api.php Diff File
mod - plugins/MantisGraph/core/graph_api.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php Diff File
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php Diff File
mod - proj_doc_page.php Diff File

MantisBT: master-1.2.x a3c93584

2014-01-28 00:00

dregad


Details Diff
Fix 0016880: regression introduced by original patch Affected Issues
0016880
mod - plugins/MantisGraph/core/graph_api.php Diff File

MantisBT: master cf596c27

2014-01-28 00:00

dregad


Details Diff
Fix 0016880: regression introduced by original patch Affected Issues
0016880
mod - plugins/MantisGraph/core/graph_api.php Diff File

MantisBT: master-1.2.x 56fcd1c0

2014-01-28 00:00

dregad


Details Diff
Fix 0016880: another one Affected Issues
0016880
mod - plugins/MantisGraph/core/graph_api.php Diff File

MantisBT: master 0db530a8

2014-01-28 00:00

dregad


Details Diff
Fix 0016880: another one Affected Issues
0016880
mod - plugins/MantisGraph/core/graph_api.php Diff File

MantisBT: master-1.2.x 05b3bb4d

2014-02-08 11:38

dregad


Details Diff
Fix 0016940: undefined function db_params() in news_api.php

Regression introduced by 7efe0175f0853e18ebfacedfd2374c4179028b3f
(fix for issue 0016880)
Affected Issues
0016880, 0016940
mod - core/news_api.php Diff File

MantisBT: master 7fef194b

2014-02-08 11:38

dregad


Details Diff
Fix 0016940: undefined function db_params() in news_api.php

Regression introduced by 7efe0175f0853e18ebfacedfd2374c4179028b3f
(fix for issue 0016880)
Affected Issues
0016880, 0016940
mod - core/news_api.php Diff File

MantisBT: master-1.2.x 99ffb0af

2014-10-30 06:31

dregad


Details Diff
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue 0017823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
Affected Issues
0016880, 0017812, 0017823
mod - api/soap/mc_project_api.php Diff File

MantisBT: master 5faf97ab

2014-10-30 06:31

dregad


Details Diff
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue 0017823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
Affected Issues
0016880, 0017812, 0017823
mod - api/soap/mc_project_api.php Diff File