0006420: Injection Vulnerabilities in Filters (TKADV2005-11-002) - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0006420	mantisbt	security	public	2005-11-20 19:57	2006-10-09 11:55

Reporter	thraxisp	Assigned To	thraxisp
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	0.19.3
Fixed in Version	0.19.4

Summary	0006420: Injection Vulnerabilities in Filters (TKADV2005-11-002)
Description	From Tobias Klein (tk at trapkit.de) [1] SQL Injection Possible damage: Critical Probability of occurrence: High Resulting threat: Critical HTTP method: GET Vulnerability description: Mantis is prone to a SQL injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. Vulnerable URL: `[path_to_mantis]/view_all_set.php?sort=` Proof of Concept: [path_to_mantis]/view_all_set.php?sort=priority' plus I came across several security related problems in the latest version of Mantis after a quick review of the code. Maybe I'll take a further look at the code the next days. /view_all_set.php: GET: ?type=1&handler_id=1&hide_status=[XSS] GET: ?type=1&handler_id=[XSS] GET: ?type=1&temporary=y&user_monitor=[XSS] GET: ?type=1&temporary=y&reporter_id=[XSS] GET: ?type=6&view_type=[XSS] GET: ?type=1&show_severity=[XSS] GET: ?type=1&show_category=[XSS] GET: ?type=1&show_status=[XSS] GET: ?type=1&show_resolution=[XSS] GET: ?type=1&show_build=[XSS] GET: ?type=1&show_profile=[XSS] GET: ?type=1&show_priority=[XSS] GET: ?type=1&highlight_changed=[XSS] GET: ?type=1&relationship_type=[XSS] GET: ?type=1&relationship_bug=[XSS]
Tags	No tags attached.