FS#42761 - [mantisbt] CVE-2014-8598, CVE-2014-7146: arbitrary code execution with unrestricted access

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Wednesday, 12 November 2014, 12:12 GMT
Last edited by Maxime Gauduin (Alucryd) - Wednesday, 12 November 2014, 15:04 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Maxime Gauduin (Alucryd)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

sorry for another backport request for mantisbt, but its kind of critical :-)

Summary:
It has been reported [0][1] that mantisbt 1.2.17-3 is vulnerable to an unrestricted access and remote arbitrary code execution tracked as CVE-2014-8598 [2] CVE-2014-7146 [3].

Description:
The XML Import/Export "official" plugin comes bundled with MantisBT releases. When importing data with the plugin, user input passed through the "description" field (and the "issuelink" ttribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code.
Additionally it does not perform any access level checks in the plugin, which leads to full information disclosure and in combination with the first issue to unauthenticated remote arbitrary code execution.

Mitigation:
The problem has been fixed upstream [4][5] but no release is available yet.
We recommend to backport the patch until a release is available, the order should be CVE-2014-8598 (80a15487), CVE-2014-7146 (bed19db9).

[0] http://www.openwall.com/lists/oss-security/2014/11/07/27
[1] http://www.openwall.com/lists/oss-security/2014/11/07/28
[2] https://access.redhat.com/security/cve/CVE-2014-8598
[3] https://access.redhat.com/security/cve/CVE-2014-7146
[4] https://github.com/mantisbt/mantisbt/commit/80a15487
[5] https://github.com/mantisbt/mantisbt/commit/bed19db9
This task depends upon

Closed by  Maxime Gauduin (Alucryd)
Wednesday, 12 November 2014, 15:04 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.2.17-4
Comment by Maxime Gauduin (Alucryd) - Wednesday, 12 November 2014, 15:04 GMT
No problem, thanks again for the report!

Loading...