View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017875 | mantisbt | security | public | 2014-11-14 19:29 | 2014-12-05 18:33 |
| Reporter | avlidienbrunn | Assigned To | dregad | ||
| Priority | high | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.2.17 | ||||
| Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
| Summary | 0017875: CVE-2014-9280: PHP Object Injection in filter API | ||||
| Description | In the function current_user_get_bug_filter (core\current_user_api.php line 212). The code loads a variable from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it straight into unserialize() on line 223. The current_user_get_bug_filter function is called in 10 places, easiest is just to access /view_filters_page.php. A PoC initializing a class that's loaded could look like this: /view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";} Originally reported under point 4. in 0017362 | ||||
| Tags | No tags attached. | ||||
|
MantisBT: master-1.2.x 599364b2 2014-11-01 12:10 Paul Richards Committer: dregad Details Diff |
Do not pass raw user data to unserialize Filters were moved to TOKEN api, so the code in current_user_api to handle ?filter= on URL query strings is a left over from this move and is no longer necessary. This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [1]. Fixes 0017875 [1] http://www.offensive-security.com/bug-bounty-program/ Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017875 |
|
| mod - core/current_user_api.php | Diff File | ||
