Mantis Bug Tracker 1.2.17 PHP Code Injection

`-----------------------------------------------------------------------------  
Mantis Bug Tracker <= 1.2.17 (ImportXml.php) PHP Code Injection Vulnerability  
-----------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
http://www.mantisbt.org/  
  
  
[-] Affected Versions:  
  
All versions from 1.2.0 to 1.2.17.  
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in the /plugins/XmlImportExport/ImportXml.php script:  
  
106. printf( "Processing cross-references for %s issues...", count( $importedIssues ) );  
107. foreach( $importedIssues as $oldId => $newId ) {  
108. $bugData = bug_get( $newId, true );  
109.   
110. $bugLinkRegexp = '/(^|[^\w])(' . preg_quote( $this->source_->issuelink, '/' ) . ')(\d+)\b/e';  
111. $replacement = '"\\1" . $this->getReplacementString( "\\2", "\\3" )';  
112.   
113. $bugData->description = preg_replace( $bugLinkRegexp, $replacement, $bugData->description );  
114. $bugData->update( true, true );  
115. }  
  
User input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML  
file when importing data through the Import/Export plugin is not properly sanitized before being used  
in a "preg_replace()" call with the 'e' modifier at line 113. This can be exploited by unauthenticated  
attackers to inject and execute arbitrary PHP code by uploading a specially crafted XML file. Successful  
exploitation of this vulnerability requires the Import/Export plugin to be enabled (disabled by default).  
  
  
[-] Solution:  
  
Update to version 1.2.18.  
  
  
[-] Disclosure Timeline:  
  
[04/10/2014] - Issue reported to http://www.mantisbt.org/bugs/view.php?id=17725  
[05/10/2014] - CVE number requested  
[06/10/2014] - CVE number assigned  
[01/11/2014] - Issue fixed on GitHub  
[08/11/2014] - Public disclosure by the vendor on the OSS mailing list  
[23/12/2014] - Publication of this advisory  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2014-7146 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2014-18  
  
  
`