Vulners
Lucene search
Mantis Bug Tracker 1.2.17 PHP Code Injection
| Reporter | Title | Published | Views | Family All 46 |
|---|---|---|---|---|
 | MantisBT XmlImportExport Plugin PHP Code Injection Exploit | 16 Nov 201400:00 | – | zdt |
| MantisBT XmlImportExport Plugin PHP Code Injection Exploit | 18 Nov 201400:00 | – | zdt |
| Mantis Bug Tracker 1.2.17 PHP Code Injection Vulnerability | 1 Jan 201500:00 | – | zdt |
| MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection Exploit | 23 Mar 201700:00 | – | zdt |
 | MantisBT < 1.2.18 Multiple Vulnerabilities | 18 Feb 201500:00 | – | nessus |
| Debian DSA-3120-1 : mantis - security update | 8 Jan 201500:00 | – | nessus |
| Fedora 19 : mantis-1.2.17-4.fc19 (2014-15079) | 15 Dec 201400:00 | – | nessus |
| Fedora 20 : mantis-1.2.17-4.fc20 (2014-15108) | 15 Dec 201400:00 | – | nessus |
| Fedora 21 : mantis-1.2.17-4.fc21 (2014-15142) | 15 Dec 201400:00 | – | nessus |
| MantisBT 1.2.x < 1.2.18 Multiple Vulnerabilities | 22 Jan 201500:00 | – | nessus |
10
`-----------------------------------------------------------------------------
Mantis Bug Tracker <= 1.2.17 (ImportXml.php) PHP Code Injection Vulnerability
-----------------------------------------------------------------------------
[-] Software Link:
http://www.mantisbt.org/
[-] Affected Versions:
All versions from 1.2.0 to 1.2.17.
[-] Vulnerability Description:
The vulnerable code is located in the /plugins/XmlImportExport/ImportXml.php script:
106. printf( "Processing cross-references for %s issues...", count( $importedIssues ) );
107. foreach( $importedIssues as $oldId => $newId ) {
108. $bugData = bug_get( $newId, true );
109.
110. $bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e';
111. $replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )';
112.
113. $bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description );
114. $bugData->update( true, true );
115. }
User input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML
file when importing data through the Import/Export plugin is not properly sanitized before being used
in a "preg_replace()" call with the 'e' modifier at line 113. This can be exploited by unauthenticated
attackers to inject and execute arbitrary PHP code by uploading a specially crafted XML file. Successful
exploitation of this vulnerability requires the Import/Export plugin to be enabled (disabled by default).
[-] Solution:
Update to version 1.2.18.
[-] Disclosure Timeline:
[04/10/2014] - Issue reported to http://www.mantisbt.org/bugs/view.php?id=17725
[05/10/2014] - CVE number requested
[06/10/2014] - CVE number assigned
[01/11/2014] - Issue fixed on GitHub
[08/11/2014] - Public disclosure by the vendor on the OSS mailing list
[23/12/2014] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-7146 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2014-18
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Dec 2014 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.80388