CVE-2014-7146: MantisBT XmlImportExport plugin PHP Code Injection Vulnerability

[Damien Regad <dregad () mantisbt org>]

Egidio "EgiX" Romano discovered a vulnerability in the MantisBT XML 
import plugin, and reserved CVE-2014-7146 for it.

This message provides details on the issue, including resolution. Kindly 
update the CVE database accordingly.

Description:

When importing data with the plugin, user input passed through the 
"description" field (and the "issuelink" attribute) of the uploaded XML 
file isn't properly sanitized before being used in a call to the 
preg_replace() function which uses the 'e' modifier. This can be 
exploited to inject and execute arbitrary PHP code when the 
Import/Export plugin is installed.

The XML Import/Export "official" plugin comes bundled with MantisBT 
releases.


Affected versions:
> = 1.2.0a3, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [4]

This fix is a backport of an existing commit [1] from master branch, 
which has been confirmed as addressing the issue.

Credit:
Issue was discovered by Egidio Romano (http://karmainsecurity.com/)
Original fix (master branch) by Dominik Blunk
Backporting fix to 1.2.x branch by Damien Regad (MantisBT Developer)

References:
Further details available in our issue tracker [2]
See also related issue/vulnerability [3] (CVE-2014-8598)


[1] https://github.com/mantisbt/mantisbt/commit/84017535
[2] http://www.mantisbt.org/bugs/view.php?id=17725
[3] http://www.mantisbt.org/bugs/view.php?id=17780
[4] https://github.com/mantisbt/mantisbt/commit/bed19db9