[arch-security] [Arch Linux Security Advisory ASA-201411-3] mantisbt: sql injection
Levente Polyak
anthraxx at archlinux.org
Wed Nov 5 19:23:06 UTC 2014
Arch Linux Security Advisory ASA-201411-3
=========================================
Severity: Critical
Date : 2014-11-05
CVE-ID : CVE-2014-8554
Package : mantisbt
Type : sql injection
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package mantisbt before version 1.2.17-3 is vulnerable to SQL injection.
Resolution
==========
Upgrade to 1.2.17-3.
# pacman -Syu "mantisbt>=1.2.17-3"
The problem has been fixed upstream [0] but no release version is
available yet.
Workaround
==========
None.
Description
===========
Edwin Gozeling and Wim Visser discovered that when the project_id
parameter of the SOAP-request starts with the integer of a project to
which the user (or anonymous) is authorized, the ENTIRE value will
become the first item of $t_projects. As this value is concatenated in
the SQL statement, SQL-injection becomes possible.
Impact
======
A remote attacker is able to perform SQL injection via specially crafted
SOAP-requests. Depending on the configuration this can be escalated to
code execution.
References
==========
[0] https://github.com/mantisbt/mantisbt/commit/99ffb0af
https://access.redhat.com/security/cve/CVE-2014-8554
http://seclists.org/oss-sec/2014/q4/478
https://bugs.archlinux.org/task/42683
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141105/da24f5b0/attachment.bin>
More information about the arch-security
mailing list