View Issue Details

IDProjectCategoryView StatusLast Update
0009154mantisbtsecuritypublic2008-06-17 02:48
Reportergiallu Assigned Togiallu  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.1 
Target Version1.1.2Fixed in Version1.1.2 
Summary0009154: arbitrary file inclusion through user preferences page
Description

Reported by:
SEC Consult Vulnerability Lab / www.sec-consult.com

Vulnerability overview:

Due to unchecked user input, arbitrary files can be included within a PHP require_once() statement. Input length is limited to 32 characters. This vulnerability allows for reading arbitrary files on the affected webserver, as well as code execution if the attacker can put php code in any includable file (which is possible in most scenarios).

Vulnerability description:

Vulnerable files/objects: core/lang_api.php, account_prefs_update.php

Line 37 (in "core/lang_api.php") loads text file with user-supplied language preference.

---cut here---
require_once( $t_langdir . 'strings' . $p_lang . '.txt' );
---cut here---

Proof of concept:

Use account_prefs_update.php to set language to something like:

language=urdu.txt/../../../../etc/passwd%00

TagsNo tags attached.

Relationships

parent of 0009187 closedgiallu arbitrary file inclusion through user preferences page 

Activities

giallu

giallu

2008-05-15 12:44

reporter   ~0017847

A fix was committed in revision 5270. Basically, a validation routine is run on language names passed as form arguments, and the value is used only if it matches one of the existing languages.

giallu

giallu

2008-06-17 02:41

reporter   ~0018119

Making this public

Related Changesets

MantisBT: master-1.1.x d1fd0451

2008-05-15 12:37

giallu


Details Diff
Fix 9154: arbitrary file inclusion through user preferences page

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5270 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009154
mod - core/lang_api.php Diff File
mod - account_prefs_update.php Diff File
mod - core/user_pref_api.php Diff File