mantisbt: multiple issues

CVE-2014-9272 (cross-side scripting)
The function "string_insert_hrefs" doesn’t validate the protocol, which
is why one can make a link that executes arbitrary JavaScript code.

CVE-2014-9270 (cross-side scripting)
The Projax library does not properly escape html strings. An attacker
could take advantage of this to perform an XSS attack using the
profile/Platform field.

CVE-2014-8987 (cross-side scripting)
The MantisBT Configuration Report page (adm_config_report.php) did not
escape a parameter before displaying it on the page, allowing an
attacker to execute arbitrary JavaScript code.

CVE-2014-9271 (cross-side scripting)
It’s possible to upload Flash files and make open them inline by using
an image extension. Since Flash files can execute JavaScript this
becomes a persistent XSS.

CVE-2014-9281 (cross-side scripting)
A missing sanity check in copy_field.php is leading to a reflected XSS
vulnerability which could be exploited f.e. by the dest_id parameter.

CVE-2014-8986 (cross-side scripting)
Cross-site scripting (XSS) vulnerability in the selection list in the
filters in the Configuration Report page (adm_config_report.php) allows
remote administrators to inject arbitrary web script or HTML via a
crafted config option.

CVE-2014-9269 (cross-side scripting)
Extended project browser allows projects to be passed in as A;B.
helper_get_current_project() and helper_get_current_project_trace() then
explodes the string by ‘;’ and doesn’t check that A is an int
(representing a project/sub-project id).
Finally, print_extended_project_browser() prints the result of the split
into a JavaScript array.

CVE-2014-9280 (code execution)
PHP Object Injection in filter API in the function
current_user_get_bug_filter (core\current_user_api.php line 212). The
code loads a variable from $_GET[‘filter’]/$_POST[‘filter’] and if it’s
not numeric, feeds it straight into unserialize() on line 223.
The current_user_get_bug_filter function is called in 10 places, easiest
is just to access /view_filters_page.php.
A PoC initializing a class that’s loaded could look like this:
/view_filters_page.php?filter=O:16:"MantisPHPSession":2:{s:2:"id";s:1:"1";s:3:"key";s:3:"wee";}

CVE-2014-9089 (sql injection)
Multiple SQL injection vulnerabilities in view_all_bug_page.php in
MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL
commands via the ‘sort’ or ‘dir’ parameter to view_all_set.php.
Both parameters are split into chunks on ‘,’. After splitting, only the
first two values are validated. By supplying a third value, SQL
injection can be performed.

CVE-2014-9279 (information disclosure)
Database credentials leak via unattended upgrade script will connect to
arbitrary host with the current DB config credentials. The unattended
upgrade script retrieved DB connection settings from POST parameters,
allowing an attacker to get the script to connect to their host with the
current DB config credentials.

CVE-2014-8988 (information disclosure)
It is possible to bypass the $g_download_attachments_threshold and
$g_view_attachments_threshold restrictions and read attachments for
private projects by leveraging access to a project that does not
restrict access to attachments and a request to the download URL.

CVE-2014-8553 (information disclosure)
No public information is available yet.

CVE-2014-6387 (authentication bypass)
A flaw in gpc_api.php allows remote attackers to bypass authentication
via a password starting will a null byte, which triggers an
unauthenticated bind. A malicious user can exploit this vulnerability to
login as any registered user and without knowing their password, to
systems relying on LDAP for user authentication (e.g. Active Directory
or OpenLDAP with "allow bind_anon_cred").

CVE-2014-6316 (cross-site redirection)
When Mantis is installed at the web server’s root, $g_short_path is set
to ‘/’. string_sanitize_url() removes the trailing ‘/’ from the short
path, which causes the URL to be incorrectly categorized as "type 2",
thus allowing cross-site redirection to occur.

CVE-2014-9117 (captcha bypass)
MantisBT before 1.2.18 uses the public_key parameter value as the key to
the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA
protection mechanism by leveraging knowledge of a CAPTCHA answer for a
public_key parameter value, as demonstrated by E4652 for the public_key
value 0.