View Issue Details

IDProjectCategoryView StatusLast Update
0017875mantisbtsecuritypublic2014-12-05 18:33
Reporteravlidienbrunn Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017875: CVE-2014-9280: PHP Object Injection in filter API
Description

In the function current_user_get_bug_filter (core\current_user_api.php line 212). The code loads a variable from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it straight into unserialize() on line 223.

The current_user_get_bug_filter function is called in 10 places, easiest is just to access /view_filters_page.php.

A PoC initializing a class that's loaded could look like this: /view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";}

Originally reported under point 4. in 0017362

TagsNo tags attached.

Relationships

child of 0017362 closeddregad Multiple vulnerabilities in MantisBT 

Activities

Related Changesets

MantisBT: master-1.2.x 599364b2

2014-11-01 16:10:41

Paul Richards


Committer: dregad Details Diff
Do not pass raw user data to unserialize

Filters were moved to TOKEN api, so the code in current_user_api to handle
?filter= on URL query strings is a left over from this move and is no
longer necessary.

This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me)
as part of Offensive Security's bug bounty program [1].

Fixes 0017875

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>
Affected Issues
0017875
mod - core/current_user_api.php Diff File