oss-sec mailing list archives
CVE request: PHP Object Injection in MantisBT filter API
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 29 Nov 2014 23:43:28 +0100
Greetings, Please assign a CVE ID for the following issue. Description:In the function current_user_get_bug_filter(), the code loads a variable from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it straight into unserialize() allowing an attacker to inject a PHP object.
Affected versions: <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [1] Credit:Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [3].
It was fixed by Paul Richards. References: Further details available in our issue tracker [2] [1] http://github.com/mantisbt/mantisbt/commit/599364b2 [2] http://www.mantisbt.org/bugs/view.php?id=17875 [3] http://www.offensive-security.com/bug-bounty-program/
Current thread:
- CVE request: PHP Object Injection in MantisBT filter API Damien Regad (Nov 29)
- Re: CVE request: PHP Object Injection in MantisBT filter API cve-assign (Dec 05)