oss-sec mailing list archives
CVE-2014-7146: MantisBT XmlImportExport plugin PHP Code Injection Vulnerability
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 08 Nov 2014 00:07:03 +0100
Egidio "EgiX" Romano discovered a vulnerability in the MantisBT XML import plugin, and reserved CVE-2014-7146 for it.
This message provides details on the issue, including resolution. Kindly update the CVE database accordingly.
Description:When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
The XML Import/Export "official" plugin comes bundled with MantisBT releases.
Affected versions:
= 1.2.0a3, <= 1.2.17
Fixed in versions: 1.2.18 (not yet released) Patch: See Github [4]This fix is a backport of an existing commit [1] from master branch, which has been confirmed as addressing the issue.
Credit: Issue was discovered by Egidio Romano (http://karmainsecurity.com/) Original fix (master branch) by Dominik Blunk Backporting fix to 1.2.x branch by Damien Regad (MantisBT Developer) References: Further details available in our issue tracker [2] See also related issue/vulnerability [3] (CVE-2014-8598) [1] https://github.com/mantisbt/mantisbt/commit/84017535 [2] http://www.mantisbt.org/bugs/view.php?id=17725 [3] http://www.mantisbt.org/bugs/view.php?id=17780 [4] https://github.com/mantisbt/mantisbt/commit/bed19db9
Current thread:
- CVE-2014-7146: MantisBT XmlImportExport plugin PHP Code Injection Vulnerability Damien Regad (Nov 07)