Ravens PHP Scripts

Mantis *sort* PHP Code Execution Vulnerability
Date: Friday, October 17, 2008 @ 18:20:32 CEST
Topic: Security


SECUNIA ADVISORY ID: SA32314

VERIFY ADVISORY: http://secunia.com/advisories/32314/

CRITICAL: Moderately critical

IMPACT: System access

SOFTWARE: Mantis 1.x: http://secunia.com/advisories/product/5571/

DESCRIPTION: EgiX has discovered a vulnerability in Mantis, which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is confirmed in version 1.1.2 and reported in version 1.1.3. Other versions may also be affected.



Input passed to the "sort" parameter in manage_proj_page.php is not properly sanitised before being used in a "create_function()" call. This can be exploited to execute arbitrary PHP code. Successful exploitation requires valid user credentials.

SOLUTION: Restrict access to manage_proj_page.php (e.g. with ".htaccess").

PROVIDED AND/OR DISCOVERED BY: EgiX

ORIGINAL ADVISORY: http://milw0rm.com/exploits/6768






This article comes from Ravens PHP Scripts
http://www.ravenphpscripts.com

The URL for this story is:
http://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=3475