| Anonymous | Login | Signup for a new account | 2010-02-09 08:22 EST |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] | [ Issue History ] [ Print ] | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |
| 0009154 | mantisbt | security | public | 2008-05-15 10:01 | 2008-06-17 02:48 | |
| Reporter | giallu | |||||
| Assigned To | giallu | |||||
| Priority | normal | Severity | major | Reproducibility | always | |
| Status | closed | Resolution | fixed | |||
| Platform | OS | OS Version | ||||
| Product Version | 1.1.1 | |||||
| Target Version | 1.1.2 | Fixed in Version | 1.1.2 | |||
| Summary | 0009154: arbitrary file inclusion through user preferences page | |||||
| Description | Reported by: SEC Consult Vulnerability Lab / www.sec-consult.com Vulnerability overview: ----------------------- Due to unchecked user input, arbitrary files can be included within a PHP require_once() statement. Input length is limited to 32 characters. This vulnerability allows for reading arbitrary files on the affected webserver, as well as code execution if the attacker can put php code in any includable file (which is possible in most scenarios). Vulnerability description: -------------------------- Vulnerable files/objects: core/lang_api.php, account_prefs_update.php Line 37 (in "core/lang_api.php") loads text file with user-supplied language preference. ---cut here--- require_once( $t_lang_dir . 'strings_' . $p_lang . '.txt' ); ---cut here--- Proof of concept: ----------------- Use account_prefs_update.php to set language to something like: language=urdu.txt/../../../../etc/passwd%00 | |||||
| Tags | No tags attached. | |||||
| Attached Files | ||||||
 Relationships |
 Notes |
|
 (0017847)giallu (developer) 2008-05-15 12:44 |
A fix was committed in revision 5270. Basically, a validation routine is run on language names passed as form arguments, and the value is used only if it matches one of the existing languages. |
|
(0018119) giallu (developer) 2008-06-17 02:41 |
Making this public |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master-1.1.x d1fd0451 Timestamp: 2008-05-15 16:37:46 Author: giallu [ Details ] [ Diff ] |
Fix 9154: arbitrary file inclusion through user preferences page git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5270 [^] /?p=mantisbt.git;a=object;h=f5dc347c-c33d-0410-90a0-b07cc1902cb9 |
||
| mod - core/lang_api.php | [ Diff ] [ File ] | ||
| mod - account_prefs_update.php | [ Diff ] [ File ] | ||
| mod - core/user_pref_api.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2008-05-15 10:01 | giallu | New Issue | |
| 2008-05-15 12:37 | giallu | Summary | arbitrary file inclusion thorugh user preferences page => arbitrary file inclusion through user preferences page |
| 2008-05-15 12:44 | giallu | Status | new => resolved |
| 2008-05-15 12:44 | giallu | Fixed in Version | => 1.1.2 |
| 2008-05-15 12:44 | giallu | Resolution | open => fixed |
| 2008-05-15 12:44 | giallu | Assigned To | => giallu |
| 2008-05-15 12:44 | giallu | Note Added: 0017847 | |
| 2008-05-21 04:12 | giallu | Issue cloned | 0009187 |
| 2008-05-21 04:12 | giallu | Relationship added | parent of 0009187 |
| 2008-06-17 02:41 | giallu | Note Added: 0018119 | |
| 2008-06-17 02:41 | giallu | View Status | private => public |
| 2008-06-17 02:48 | giallu | Status | @0@ => closed |
| 2008-10-20 20:20 | Changeset attached | master-1.1.x 97897a05 => | |
| 2008-11-11 09:03 | giallu | Changeset attached | master-1.1.x d1fd0451 => |
|
Issue History |
| MantisBT 1.2.0rc2 git live[^]
Copyright © 2000 - 2010 MantisBT Group
Time: 0.2080 seconds. memory usage: 1,812 KB |
 |