Red Hat Bugzilla – Bug 448410
CVE-2008-3332 mantis: code execution by users with administrative privileges
Last modified: 2008-07-28 04:55:40 EDT
Antonio "s4tan" Parata and Francesco "ascii" Ongaro discovered that mantis 1.1.1
allows administrative accounts to execute arbitrary PHP code using a flaw in the
C) Remote Code Execution Vulnerabilities
Finally we present the most critical vulnerability. A Remote Code
Execution vulnerability exists in the software, but it can be exploited
only if the attacker has a valid administrator account, so it could be
ideal if used in conjunction with the previous one. The vulnerability
is in the file adm_config_set.php. On row 80 we have the following
eval( '$t_value = ' . $f_value . ';' );
where the $f_value is defined at row 34 of the same file:
$f_value = gpc_get_string( 'value' );
the parameter $f_value is never validated, so we can exploit this issue
with the following url which executes the phpinfo() function:
Upstream bug reports (currently restricted):
Upstream commit in 1.1 SVN branch:
(partial fix according to the commit message)
This is probably not an issue in situations when all admin mantis users are
expected to be able to execute own PHP scripts on the host with the privileges
of web server (e.g. when they also have normal user account and web server
configured to serve content of public_html directories).
mantis-1.1.2-1.fc9 has been submitted as an update for Fedora 9
mantis-1.1.2-1.fc8 has been submitted as an update for Fedora 8
mantis-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Eval injection vulnerability in adm_config_set.php in Mantis before
1.1.2 allows remote authenticated administrators to execute arbitrary
code via the value parameter.
This issue was addressed in: