View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009154 | mantisbt | security | public | 2008-05-15 10:01 | 2008-06-17 02:48 |
Reporter | giallu | Assigned To | giallu | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.1 | ||||
Target Version | 1.1.2 | Fixed in Version | 1.1.2 | ||
Summary | 0009154: arbitrary file inclusion through user preferences page | ||||
Description | Reported by: Vulnerability overview:Due to unchecked user input, arbitrary files can be included within a PHP require_once() statement. Input length is limited to 32 characters. This vulnerability allows for reading arbitrary files on the affected webserver, as well as code execution if the attacker can put php code in any includable file (which is possible in most scenarios). Vulnerability description:Vulnerable files/objects: core/lang_api.php, account_prefs_update.php Line 37 (in "core/lang_api.php") loads text file with user-supplied language preference. ---cut here--- Proof of concept:Use account_prefs_update.php to set language to something like: language=urdu.txt/../../../../etc/passwd%00 | ||||
Tags | No tags attached. | ||||
MantisBT: master-1.1.x d1fd0451 2008-05-15 12:37 Details Diff |
Fix 9154: arbitrary file inclusion through user preferences page git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5270 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0009154 |
|
mod - core/lang_api.php | Diff File | ||
mod - account_prefs_update.php | Diff File | ||
mod - core/user_pref_api.php | Diff File |