View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016880 | mantisbt | security | public | 2014-01-24 10:32 | 2014-11-01 19:40 |
Reporter | dregad | Assigned To | dregad | ||
Priority | immediate | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.15 | ||||
Target Version | 1.2.16 | Fixed in Version | 1.2.16 | ||
Summary | 0016880: CVE-2014-1609: SQL injection vulnerabilities | ||||
Description | Following root cause analysis for 0016879, additional uses of db_query() instead of db_query_bound() were discovered, which could potentially lead to SQL injection exploits. | ||||
Tags | No tags attached. | ||||
related to | 0016879 | closed | dregad | CVE-2014-1608: soap:Envelope SQL injection attack |
related to | 0016898 | closed | dregad | Dropping deprecated database API function db_query() |
related to | 0016940 | closed | dregad | undefined function db_params() in core/news_api.php |
related to | 0017812 | closed | dregad | CVE-2014-8554: SQL injection in SOAP API |
This commit introduces a regression in graph plugin. Database query failed. Error received from database was 0001064: You have an error in your SQL syntax; |
|
Paul missed a couple replacement of db_query() by db_query_bound() - fixed that, and sorry for sloppy testing before pushing the changes |
|
Can't believe this patch introduced three regressions :-o sloppy coding :-( |
|
MantisBT: master-1.2.x 7efe0175 2014-01-17 11:24 Paul Richards Committer: dregad Details Diff |
Fix CVE-2014-1609: SQL injection vulnerabilities Additional cases of db_query() instead of db_query_bound() usage, potentially allowing SQL injection attacks due to unsanitized use of parameters within the query. This includes vboctor's 2 comments. Fixes 0016880 Signed-off-by: Damien Regad <dregad@mantisbt.org> Conflicts: admin/db_stats.php plugins/MantisGraph/pages/bug_graph_bycategory.php plugins/MantisGraph/pages/bug_graph_bystatus.php proj_doc_page.php |
Affected Issues 0016880 |
|
mod - admin/db_stats.php | Diff File | ||
mod - api/soap/mc_project_api.php | Diff File | ||
mod - core/news_api.php | Diff File | ||
mod - core/summary_api.php | Diff File | ||
mod - plugins/MantisGraph/core/graph_api.php | Diff File | ||
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php | Diff File | ||
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php | Diff File | ||
mod - proj_doc_page.php | Diff File | ||
MantisBT: master 7d768276 2014-01-17 11:24 Paul Richards Committer: dregad Details Diff |
Fix CVE-2014-1609: SQL injection vulnerabilities Additional cases of db_query() instead of db_query_bound() usage, potentially allowing SQL injection attacks due to unsanitized use of parameters within the query. This includes vboctor's 2 comments. Fixes 0016880 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0016880 |
|
mod - admin/db_stats.php | Diff File | ||
mod - api/soap/mc_project_api.php | Diff File | ||
mod - core/news_api.php | Diff File | ||
mod - core/summary_api.php | Diff File | ||
mod - plugins/MantisGraph/core/graph_api.php | Diff File | ||
mod - plugins/MantisGraph/pages/bug_graph_bycategory.php | Diff File | ||
mod - plugins/MantisGraph/pages/bug_graph_bystatus.php | Diff File | ||
mod - proj_doc_page.php | Diff File | ||
MantisBT: master-1.2.x a3c93584 2014-01-28 00:00 Details Diff |
Fix 0016880: regression introduced by original patch |
Affected Issues 0016880 |
|
mod - plugins/MantisGraph/core/graph_api.php | Diff File | ||
MantisBT: master cf596c27 2014-01-28 00:00 Details Diff |
Fix 0016880: regression introduced by original patch |
Affected Issues 0016880 |
|
mod - plugins/MantisGraph/core/graph_api.php | Diff File | ||
MantisBT: master-1.2.x 56fcd1c0 2014-01-28 00:00 Details Diff |
Fix 0016880: another one |
Affected Issues 0016880 |
|
mod - plugins/MantisGraph/core/graph_api.php | Diff File | ||
MantisBT: master 0db530a8 2014-01-28 00:00 Details Diff |
Fix 0016880: another one |
Affected Issues 0016880 |
|
mod - plugins/MantisGraph/core/graph_api.php | Diff File | ||
MantisBT: master-1.2.x 05b3bb4d 2014-02-08 11:38 Details Diff |
Fix 0016940: undefined function db_params() in news_api.php Regression introduced by 7efe0175f0853e18ebfacedfd2374c4179028b3f (fix for issue 0016880) |
Affected Issues 0016880, 0016940 |
|
mod - core/news_api.php | Diff File | ||
MantisBT: master 7fef194b 2014-02-08 11:38 Details Diff |
Fix 0016940: undefined function db_params() in news_api.php Regression introduced by 7efe0175f0853e18ebfacedfd2374c4179028b3f (fix for issue 0016880) |
Affected Issues 0016880, 0016940 |
|
mod - core/news_api.php | Diff File | ||
MantisBT: master-1.2.x 99ffb0af 2014-10-30 06:31 Details Diff |
SQL injection in mc_project_get_attachments() This is a follow-up on CVE-2014-1609 / issue 0016880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in 0016880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue 0017823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes 0017812, CVE-2014-8554 |
Affected Issues 0016880, 0017812, 0017823 |
|
mod - api/soap/mc_project_api.php | Diff File | ||
MantisBT: master 5faf97ab 2014-10-30 06:31 Details Diff |
SQL injection in mc_project_get_attachments() This is a follow-up on CVE-2014-1609 / issue 0016880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in 0016880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue 0017823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes 0017812, CVE-2014-8554 |
Affected Issues 0016880, 0017812, 0017823 |
|
mod - api/soap/mc_project_api.php | Diff File |