View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016879 | mantisbt | security | public | 2014-01-24 10:26 | 2014-02-07 18:24 |
Reporter | dregad | Assigned To | dregad | ||
Priority | immediate | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.0a4 | ||||
Target Version | 1.2.16 | Fixed in Version | 1.2.16 | ||
Summary | 0016879: CVE-2014-1608: soap:Envelope SQL injection attack | ||||
Description | The SOAP API can be used for SQL injection attacks. Pasting relevant extracts of the original e-mail report below The xml sent to the soap webservice is sometimes validated, sometimes not. This It is definitely still an issue, but it's not 100% sure whether the the XML request cannot be issued without a user account. The request allows | ||||
Steps To Reproduce | If you would like to reproduce the issue, you could issue the following <?xml version="1.0" encoding="utf-8"?><soap:Envelope This request selects the username from mantis_user_table with id=1. The | ||||
Additional Information | This issue was initially discovered and reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH (https://www.nruns.com), who discovered the issue during an audit at a customer's site on an up-to-date machine with the latest Mantis version (1.2.15). | ||||
Tags | No tags attached. | ||||
grangeway quickly identified the root cause and provided a fix for the issue [1] [1] https://github.com/grangeway/mantisbt/commit/b930f0e44481439ca5bca6b438e55641d139f7e2 |
|
MantisBT: master-1.2.x 00b4c170 2014-01-17 11:24 Paul Richards Committer: dregad Details Diff |
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection Use of db_query() instead of db_query_bound() allowed SQL injection attacks due to unsanitized use of parameters within the query when using the SOAP API mc_issue_attachment_get. This issue was reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH, who discovered the issue during an audit at a customer's site. Fixes 0016879 Signed-off-by: Damien Regad <dregad@mantisbt.org> Conflicts: api/soap/mc_file_api.php |
Affected Issues 0016879 |
|
mod - api/soap/mc_file_api.php | Diff File | ||
MantisBT: master 3be86ce3 2014-01-17 11:24 Paul Richards Committer: dregad Details Diff |
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection Use of db_query() instead of db_query_bound() allowed SQL injection attacks due to unsanitized use of parameters within the query when using the SOAP API mc_issue_attachment_get. This issue was reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH, who discovered the issue during an audit at a customer's site. Fixes 0016879 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0016879 |
|
mod - api/soap/mc_file_api.php | Diff File |