View Issue Details

IDProjectCategoryView StatusLast Update
0009154mantisbtsecuritypublic2008-06-17 02:48
ReportergialluAssigned Togiallu 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.1 
Target Version1.1.2Fixed in Version1.1.2 
Summary0009154: arbitrary file inclusion through user preferences page
Description

Reported by:
SEC Consult Vulnerability Lab / www.sec-consult.com

Vulnerability overview:

Due to unchecked user input, arbitrary files can be included within a PHP require_once() statement. Input length is limited to 32 characters. This vulnerability allows for reading arbitrary files on the affected webserver, as well as code execution if the attacker can put php code in any includable file (which is possible in most scenarios).

Vulnerability description:

Vulnerable files/objects: core/lang_api.php, account_prefs_update.php

Line 37 (in "core/lang_api.php") loads text file with user-supplied language preference.

---cut here---
require_once( $t_langdir . 'strings' . $p_lang . '.txt' );
---cut here---

Proof of concept:

Use account_prefs_update.php to set language to something like:

language=urdu.txt/../../../../etc/passwd%00

TagsNo tags attached.

Relationships

parent of 0009187 closedgiallu arbitrary file inclusion through user preferences page 

Activities

giallu

giallu

2008-05-15 12:44

reporter   ~0017847

A fix was committed in revision 5270. Basically, a validation routine is run on language names passed as form arguments, and the value is used only if it matches one of the existing languages.

giallu

giallu

2008-06-17 02:41

reporter   ~0018119

Making this public

Related Changesets

MantisBT: master-1.1.x d1fd0451

2008-05-15 16:37:46

giallu

Details Diff
Fix 9154: arbitrary file inclusion through user preferences page

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5270 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
mod - core/lang_api.php Diff File
mod - account_prefs_update.php Diff File
mod - core/user_pref_api.php Diff File

Issue History

Date Modified Username Field Change
2008-05-15 10:01 giallu New Issue
2008-05-15 12:37 giallu Summary arbitrary file inclusion thorugh user preferences page => arbitrary file inclusion through user preferences page
2008-05-15 12:44 giallu Status new => resolved
2008-05-15 12:44 giallu Fixed in Version => 1.1.2
2008-05-15 12:44 giallu Resolution open => fixed
2008-05-15 12:44 giallu Assigned To => giallu
2008-05-15 12:44 giallu Note Added: 0017847
2008-05-21 04:12 giallu Issue cloned: 0009187
2008-05-21 04:12 giallu Relationship added parent of 0009187
2008-06-17 02:41 giallu Note Added: 0018119
2008-06-17 02:41 giallu View Status private => public
2008-06-17 02:48 giallu Status @0@ => closed
2008-10-20 20:20 Changeset attached master-1.1.x 97897a05 =>
2008-11-11 09:03 giallu Changeset attached master-1.1.x d1fd0451 =>