View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0006419mantisbtsecuritypublic2005-11-20 19:482006-10-09 11:55
Reporterthraxisp Assigned Tothraxisp  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version0.19.3 
Fixed in Version0.19.4 
Summary0006419: File Upload Vulnerability (TKADV2005-11-002)
Description

From Tobias Klein (tk at trapkit.de)

[8] Upload files with arbitrary size

Possible damage: Medium
Probability of occurrence: Low
Resulting threat: Low

HTTP method: POST

Vulnerability description:

When the uploading functionality is activated (see config_inc.php)
it is possible to upload files with an arbitrary size.

Normally uploaded files have a max size of 2,000k. This gets
enforced by the form-data parameter 'name="max_file_size"'. It is
possible to manipulate this parameter to an arbitrary value. As the
file gets directly uploaded to the database it is possible to fill
the available disk space of the database and cause a denial of
service.

Site with vulnerable POST form:

[path_to_mantis]/view.php?id=1

Vulnerable POST request:

POST [path_to_mantis]/bug_file_add.php HTTP/1.1

[...]

-----------------------------263932646429032
Content-Disposition: form-data; name="bug_id"

1
-----------------------------263932646429032
Content-Disposition: form-data; name="max_file_size"

2000000 <--- this value can be easily modified

[...]

Other URLs with vulnerable upload feature:

[path_to_mantis]/bug_report.php
[path_to_mantis]/bug_report_advanced_page.php
[path_to_mantis]/proj_doc_add_page.php
TagsNo tags attached.

Relationships

has duplicate 0006463 closedthraxisp Upload files with arbitrary size 

Activities

thraxisp

thraxisp

2005-11-20 21:49

reporter   ~0011637

Fixed in 0.19.4.

constant_inc.php -> 1.33.6.1
core/file_api.php -> 1.60.6.1
lang/strings_english.txt -> 1.221.4.1;