Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Mantis
Systems Affected Mantis 1.1.1 and possibly earlier versions
Severity
Impact (CVSSv2) (, vector: )
Vendor http://www.mantisbt.org/
Advisory
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date

C) Remote Code Execution Vulnerabilities

Finally we present the most critical vulnerability. A Remote Code Execution vulnerability exists in the software, but it can be exploited only if the attacker has a valid adminitrator account, so it could be ideal if used in conjunction with the previous one. The vulnerability is in the file adm_config_set.php. On row 80 we have the following statement:

eval( '$t_value = ' . $f_value . ';' );

where the $f_value is defined at row 34 of the same file:

$f_value = gpc_get_string( 'value' );

the parameter $f_value is never validated, so we can exploit this issue with the following url wich executes the phpinfo() function:

http://www.example.com/mantis/adm_config_set.php?user_id=0&project_id=0&config_option=cache_config&type=0&value=0;phpinfo()