Bug 467674 (CVE-2008-4687)

Summary: CVE-2008-4687 mantis: code execution by registered users via sort parameter to manage_proj_page.php
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: giallu, jlieskov, rh-bugzilla, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-24 18:48:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-10-20 06:54:14 UTC
A remote PHP code execution flaws was reported for Mantis.  Registered users can execute code via specially crafted sort parameter to manage_proj_page.php page.

Upstream bug report:
http://www.mantisbt.org/bugs/view.php?id=9704

Public exploit:
http://www.milw0rm.com/exploits/6768

Fixed upstream in 1.1.4:
http://www.mantisbt.org/bugs/changelog_page.php
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5679

Comment 1 Gianluca Sforna 2008-10-20 07:41:54 UTC
Is this for our own records? do I need to close this myself? (I pushed 1.1.4 few hours ago)

Comment 2 Tomas Hoger 2008-10-20 07:58:20 UTC
I know.  That was for proper reference from Bodhi update request.  Though I'm not able to actually add it to the update request at the moment due to what seems to be a bodhi bug (https://fedorahosted.org/bodhi/ticket/254).

Comment 3 Gianluca Sforna 2008-10-20 08:04:19 UTC
Ok. thank you

Comment 5 Red Hat Product Security 2008-10-24 18:48:24 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9015
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8925