MantisBT 1.2.15 input sanitization errors

2014.02.09
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

#2014-001 MantisBT input sanitization errors Description: The MantisBT web-based bugtracking system suffers from SQL injection vulnerabilities caused by insufficient input sanitization. The MantisBT SOAP API uses the unsafe db_query() function allowing a specially crafted tag within the envelope of a mc_issue_attachment_get SOAP request to inject arbitrary SQL queries. The reporting of this specific issue was followed by an investigation that lead to additional cases of unsafe db_query() function use, being found by MantisBT maintainers, throughout MantisBT code. Affected version: MantisBT >= 1.1.0a4, <= 1.2.15 Fixed version: MantisBT >= 1.2.16 Credit: vulnerability report received from Martin Herfurt <martin.herfurt AT nruns.com>. CVE: CVE-2014-1608 (SOAP), CVE-2014-1609 (additional SQL injections) Timeline: 2014-01-17: vulnerability report received 2014-01-17: contacted MantisBT maintainer 2014-01-17: maintainer provides patch for review 2014-01-18: contacted affected vendors 2014-01-19: assigned CVEs 2014-02-08: MantisBT 1.2.16 released 2014-02-08: advisory release References: http://www.mantisbt.org http://www.mantisbt.org/bugs/view.php?id=16879 http://www.mantisbt.org/bugs/view.php?id=16880 http://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102 http://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f Permalink: http://www.ocert.org/advisories/ocert-2014-001.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team

References:

http://www.mantisbt.org
http://www.mantisbt.org/bugs/view.php?id=16879
http://www.mantisbt.org/bugs/view.php?id=16880
http://github.com/mantisbt/mantisbt/commit/00b4c17088fa56594d85fe46b6c6057bb3421102
http://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f
http://www.ocert.org/advisories/ocert-2014-001.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top