RE: SQL injection vulnerability in MantisBT SOAP API

["P Richards" <paul () mantisforge org>]

In addition, it was requested to reference http://www.issue-track.org when acknowledging myself for the issue.

Paul

-----Original Message-----
From: dregad () gmail com [mailto:dregad () gmail com] On Behalf Of Damien Regad
Sent: 30 October 2014 20:55
To: oss-security () lists openwall com
Subject: [oss-security] SQL injection vulnerability in MantisBT SOAP API

Description:

Several SQL injection vulnerabilities were identified in CVE-2014-1609, and subsequently fixed in MantisBT release 
1.2.16 [1].

However, it was recently discovered that the patch did not fully address the original problem in the SOAP API. Research 
demonstrates that using a specially crafted 'project id' parameter when calling mc_project_get_attachments(), an 
attacker could still perform an SQL injection.

Affected versions:
MantisBT >= 1.1.0a4, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Credit:
Issue was discovered by
- Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl)
- Paul Richards (former MantisBT developer)

References:
- further details, including patch available in our issue tracker [2] (

Please assign a CVE ID for this issue, which is a follow-up on
CVE-2014-1609 (the released fix of which was incomplete).

[1] http://www.mantisbt.org/bugs/view.php?id=16880
[2] http://www.mantisbt.org/bugs/view.php?id=17812