View Issue Details

IDProjectCategoryView StatusLast Update
0017012mantisbtinstallationpublic2014-12-29 19:22
ReporterolimonfAssigned Todregad 
Status closedResolutionfixed 
PlatformApache with PHP ModuleOSWindowsOS Version7
Product Version1.2.16 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0017012: Quotes not escaped on install

Quotes aren't escaped in Mantis installation, For examle if my MySQL server password is 'myPass123' [with the quotes] the config_inc.php file will be saved as: "$g_db_password = ''myPass123'';" causing a crash of fatal error in mantis (Parse error: syntax error, unexpected 'myPass123' (T_STRING)).

this can happen with any vars and probably its vunerable to SQL Injection.

Steps To Reproduce

Extract a new / not installed Manits file in your webDir
Go to install
Create a temporary user in your database with password 'toor' [with quotes]
Install mantis with the credentials of this temp user
Mantis will cannot load.

TagsNo tags attached.


related to 0012908 closeddregad PHP remote code execution in install.php 




2014-02-26 09:42

developer   ~0039553

Strings are now escaped with addslashes() where applicable.

this can happen with any vars and probably its vunerable to SQL Injection

I don't think this could lead to injection attacks, as these variables are not used in SQL queries. If you do find such a vulnerability, kindly open a private issue on this tracker with steps to reproduce it.

Related Changesets

MantisBT: master aa962973

2014-02-26 07:28:34


Details Diff
Install: escape strings in generated config_inc.php

Fixes 0017012
mod - admin/install.php Diff File

MantisBT: master 38325e28

2014-12-29 19:12:19


Details Diff
Install: escape strings inserted in config_inc.php

This ensures it is not possible to inject arbitrary PHP code into the
generated config file.

Fixes 0012908, 0017012
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2014-02-20 13:05 olimonf New Issue
2014-02-26 09:40 dregad Changeset attached => MantisBT master aa962973
2014-02-26 09:40 dregad Assigned To => dregad
2014-02-26 09:40 dregad Status new => resolved
2014-02-26 09:40 dregad Resolution open => fixed
2014-02-26 09:40 dregad Fixed in Version => 1.3.0-beta.1
2014-02-26 09:40 dregad Target Version => 1.3.0-beta.1
2014-02-26 09:42 dregad Note Added: 0039553
2014-12-08 00:34 vboctor Status resolved => closed
2014-12-29 19:15 dregad Relationship added related to 0012908
2014-12-29 19:22 dregad Changeset attached => MantisBT master 38325e28