2016-06-25 19:03 EDT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0016880mantisbtsecuritypublic2014-11-01 19:40
Reporterdregad 
Assigned Todregad 
PriorityimmediateSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.15 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016880: CVE-2014-1609: SQL injection vulnerabilities
DescriptionFollowing root cause analysis for 0016879, additional uses of db_query() instead of db_query_bound() were discovered, which could potentially lead to SQL injection exploits.
TagsNo tags attached.
Attached Files

-Relationships
related to 0016879closeddregad CVE-2014-1608: soap:Envelope SQL injection attack 
related to 0016898closeddregad Dropping deprecated database API function db_query() 
related to 0016940closeddregad undefined function db_params() in core/news_api.php 
related to 0017812closeddregad CVE-2014-8554: SQL injection in SOAP API 
+Relationships

-Notes
atrol

~0039201

atrol (developer)

This commit introduces a regression in graph plugin.
You get the following error on summary page when selecting graphs by priority, severity or resolution

Database query failed. Error received from database was 0001064: You have an error in your SQL syntax;
dregad

~0039211

dregad (developer)

Paul missed a couple replacement of db_query() by db_query_bound() - fixed that, and sorry for sloppy testing before pushing the changes
dregad

~0039354

dregad (developer)

Can't believe this patch introduced **three** regressions :-o

sloppy coding
sloppy testing

:-(
+Notes

-Related Changesets
MantisBT: master-1.2.x 7efe0175
Timestamp: 2014-01-17 16:24:29
Author: Paul Richards
Committer: dregad
Details ] Diff ]
Fix CVE-2014-1609: SQL injection vulnerabilities

Additional cases of db_query() instead of db_query_bound() usage,
potentially allowing SQL injection attacks due to unsanitized use of
parameters within the query.

This includes vboctor's 2 comments.

Fixes 0016880

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Conflicts:
admin/db_stats.php
plugins/MantisGraph/pages/bug_graph_bycategory.php
plugins/MantisGraph/pages/bug_graph_bystatus.php
proj_doc_page.php
mod - admin/db_stats.php Diff ] File ]
mod - api/soap/mc_project_api.php Diff ] File ]
mod - core/news_api.php Diff ] File ]
mod - core/summary_api.php Diff ] File ]
mod - plugins/MantisGraph/core/graph_api.php Diff ] File ]
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php Diff ] File ]
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php Diff ] File ]
mod - proj_doc_page.php Diff ] File ]
MantisBT: master 7d768276
Timestamp: 2014-01-17 16:24:29
Author: Paul Richards
Committer: dregad
Details ] Diff ]
Fix CVE-2014-1609: SQL injection vulnerabilities

Additional cases of db_query() instead of db_query_bound() usage,
potentially allowing SQL injection attacks due to unsanitized use of
parameters within the query.

This includes vboctor's 2 comments.

Fixes 0016880

Signed-off-by: Damien Regad <dregad@mantisbt.org>
mod - admin/db_stats.php Diff ] File ]
mod - api/soap/mc_project_api.php Diff ] File ]
mod - core/news_api.php Diff ] File ]
mod - core/summary_api.php Diff ] File ]
mod - plugins/MantisGraph/core/graph_api.php Diff ] File ]
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php Diff ] File ]
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php Diff ] File ]
mod - proj_doc_page.php Diff ] File ]
MantisBT: master-1.2.x a3c93584
Timestamp: 2014-01-28 05:00:04
Author: dregad
Details ] Diff ]
Fix 0016880: regression introduced by original patch
mod - plugins/MantisGraph/core/graph_api.php Diff ] File ]
MantisBT: master cf596c27
Timestamp: 2014-01-28 05:00:04
Author: dregad
Details ] Diff ]
Fix 0016880: regression introduced by original patch
mod - plugins/MantisGraph/core/graph_api.php Diff ] File ]
MantisBT: master-1.2.x 56fcd1c0
Timestamp: 2014-01-28 05:00:04
Author: dregad
Details ] Diff ]
Fix 0016880: another one
mod - plugins/MantisGraph/core/graph_api.php Diff ] File ]
MantisBT: master 0db530a8
Timestamp: 2014-01-28 05:00:04
Author: dregad
Details ] Diff ]
Fix 0016880: another one
mod - plugins/MantisGraph/core/graph_api.php Diff ] File ]
MantisBT: master-1.2.x 05b3bb4d
Timestamp: 2014-02-08 16:38:53
Author: dregad
Details ] Diff ]
Fix 0016940: undefined function db_params() in news_api.php

Regression introduced by 7efe0175f0853e18ebfacedfd2374c4179028b3f
(fix for issue 0016880)
mod - core/news_api.php Diff ] File ]
MantisBT: master 7fef194b
Timestamp: 2014-02-08 16:38:53
Author: dregad
Details ] Diff ]
Fix 0016940: undefined function db_params() in news_api.php

Regression introduced by 7efe0175f0853e18ebfacedfd2374c4179028b3f
(fix for issue 0016880)
mod - core/news_api.php Diff ] File ]
MantisBT: master-1.2.x 99ffb0af
Timestamp: 2014-10-30 10:31:36
Author: dregad
Details ] Diff ]
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue #17823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
mod - api/soap/mc_project_api.php Diff ] File ]
MantisBT: master 5faf97ab
Timestamp: 2014-10-30 10:31:36
Author: dregad
Details ] Diff ]
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue #17823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
mod - api/soap/mc_project_api.php Diff ] File ]

+Related Changesets

-Issue History
Date Modified Username Field Change
2014-01-24 10:32 dregad New Issue
2014-01-24 10:32 dregad Status new => assigned
2014-01-24 10:32 dregad Assigned To => grangeway
2014-01-24 10:32 dregad Relationship added related to 0016879
2014-01-24 18:52 dregad Changeset attached => MantisBT master-1.2.x 7efe0175
2014-01-24 18:52 dregad Assigned To grangeway => dregad
2014-01-24 18:52 dregad Status assigned => resolved
2014-01-24 18:52 dregad Resolution open => fixed
2014-01-24 18:52 dregad Fixed in Version => 1.2.16
2014-01-24 18:52 dregad Changeset attached => MantisBT master 7d768276
2014-01-27 16:00 atrol Note Added: 0039201
2014-01-27 16:00 atrol Status resolved => feedback
2014-01-27 16:00 atrol Resolution fixed => reopened
2014-01-28 05:02 dregad Changeset attached => MantisBT master-1.2.x a3c93584
2014-01-28 05:02 dregad Status feedback => resolved
2014-01-28 05:03 dregad Changeset attached => MantisBT master cf596c27
2014-01-28 05:06 dregad Changeset attached => MantisBT master-1.2.x 56fcd1c0
2014-01-28 05:06 dregad Changeset attached => MantisBT master 0db530a8
2014-01-28 05:07 dregad Note Added: 0039211
2014-01-28 05:39 dregad Relationship added related to 0016898
2014-02-07 18:20 dregad Resolution reopened => fixed
2014-02-07 18:21 dregad View Status private => public
2014-02-07 18:24 dregad Status resolved => closed
2014-02-08 16:38 dregad Relationship added related to 0016940
2014-02-08 16:42 dregad Changeset attached => MantisBT master-1.2.x 05b3bb4d
2014-02-08 16:44 dregad Changeset attached => MantisBT master 7fef194b
2014-02-08 16:47 dregad Note Added: 0039354
2014-10-30 04:05 dregad Relationship added related to 0017812
2014-11-01 19:40 dregad Changeset attached => MantisBT master-1.2.x 99ffb0af
2014-11-01 19:40 dregad Changeset attached => MantisBT master 5faf97ab
+Issue History