0009187: arbitrary file inclusion through user preferences page - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0009187	mantisbt	security	public	2008-05-21 04:12	2008-08-11 09:42

Reporter	giallu	Assigned To	giallu
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.0a1
Target Version	1.2.0a2	Fixed in Version	1.2.0a2

Summary	0009187: arbitrary file inclusion through user preferences page
Description	Reported by: SEC Consult Vulnerability Lab / www.sec-consult.com Vulnerability overview: Due to unchecked user input, arbitrary files can be included within a PHP require_once() statement. Input length is limited to 32 characters. This vulnerability allows for reading arbitrary files on the affected webserver, as well as code execution if the attacker can put php code in any includable file (which is possible in most scenarios). Vulnerability description: Vulnerable files/objects: core/lang_api.php, account_prefs_update.php Line 37 (in "core/lang_api.php") loads text file with user-supplied language preference. ---cut here--- require_once( $t_langdir . 'strings' . $p_lang . '.txt' ); ---cut here--- Proof of concept: Use account_prefs_update.php to set language to something like: language=urdu.txt/../../../../etc/passwd%00
Tags	No tags attached.

MantisBT: master ec955aaf 2008-07-11 13:18 giallu Details Diff	Fix 9187: arbitrary file inclusion through user preferences page git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5406 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9	Affected Issues 0009187
	mod - core/lang_api.php	Diff File
	mod - account_prefs_update.php	Diff File
	mod - core/user_pref_api.php	Diff File

Vulnerability overview:

giallu 2008-07-11 17:21 reporter ~0018373	Marking as public http://secunia.com/advisories/30270