View Issue Details

IDProjectCategoryView StatusLast Update
0017012mantisbtinstallationpublic2014-12-29 19:22
ReporterolimonfAssigned Todregad 
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
PlatformApache with PHP ModuleOSWindowsOS Version7
Product Version1.2.16 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0017012: Quotes not escaped on install
Description

Quotes aren't escaped in Mantis installation, For examle if my MySQL server password is 'myPass123' [with the quotes] the config_inc.php file will be saved as: "$g_db_password = ''myPass123'';" causing a crash of fatal error in mantis (Parse error: syntax error, unexpected 'myPass123' (T_STRING)).

this can happen with any vars and probably its vunerable to SQL Injection.

Steps To Reproduce

Extract a new / not installed Manits file in your webDir
Go to install
Create a temporary user in your database with password 'toor' [with quotes]
Install mantis with the credentials of this temp user
Mantis will cannot load.

TagsNo tags attached.

Relationships

related to 0012908 closeddregad PHP remote code execution in install.php 

Activities

dregad

dregad

2014-02-26 09:42

developer   ~0039553

Strings are now escaped with addslashes() where applicable.

this can happen with any vars and probably its vunerable to SQL Injection

I don't think this could lead to injection attacks, as these variables are not used in SQL queries. If you do find such a vulnerability, kindly open a private issue on this tracker with steps to reproduce it.

Related Changesets

MantisBT: master aa962973

2014-02-26 07:28:34

dregad

Details Diff
Install: escape strings in generated config_inc.php

Fixes 0017012
mod - admin/install.php Diff File

MantisBT: master 38325e28

2014-12-29 19:12:19

dregad

Details Diff
Install: escape strings inserted in config_inc.php

This ensures it is not possible to inject arbitrary PHP code into the
generated config file.

Fixes 0012908, 0017012
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2014-02-20 13:05 olimonf New Issue
2014-02-26 09:40 dregad Changeset attached => MantisBT master aa962973
2014-02-26 09:40 dregad Assigned To => dregad
2014-02-26 09:40 dregad Status new => resolved
2014-02-26 09:40 dregad Resolution open => fixed
2014-02-26 09:40 dregad Fixed in Version => 1.3.0-beta.1
2014-02-26 09:40 dregad Target Version => 1.3.0-beta.1
2014-02-26 09:42 dregad Note Added: 0039553
2014-12-08 00:34 vboctor Status resolved => closed
2014-12-29 19:15 dregad Relationship added related to 0012908
2014-12-29 19:22 dregad Changeset attached => MantisBT master 38325e28