[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: PHP Object Injection in MantisBT filter API
From:       Damien Regad <dregad () mantisbt ! org>
Date:       2014-11-29 22:43:28
Message-ID: m5di6f$ie5$1 () ger ! gmane ! org
[Download RAW message or body]

Greetings,

Please assign a CVE ID for the following issue.


Description:

In the function current_user_get_bug_filter(), the code loads a variable 
from $_GET['filter']/$_POST['filter'] and if it's not numeric, feeds it 
straight into unserialize() allowing an attacker to inject a PHP object.


Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as 
part of Offensive Security's bug bounty program [3].
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [2]


[1] http://github.com/mantisbt/mantisbt/commit/599364b2
[2] http://www.mantisbt.org/bugs/view.php?id=17875
[3] http://www.offensive-security.com/bug-bounty-program/



[prev in list] [next in list] [prev in thread] [next in thread]