[arch-security] [Arch Linux Security Advisory ASA-201411-8] mantisbt: arbitrary code execution and unrestricted access

Levente Polyak anthraxx at archlinux.org
Wed Nov 12 15:43:48 UTC 2014

Arch Linux Security Advisory ASA-201411-8

Severity: Critical
Date    : 2014-11-12
CVE-ID  : CVE-2014-7146 CVE-2014-8598
Package : mantisbt
Type    : arbitrary code execution, unrestricted access
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014


The package mantisbt before version 1.2.17-4 is vulnerable to arbitrary
code execution and unrestricted access.


Upgrade to 1.2.17-4.

# pacman -Syu "mantisbt>=1.2.17-4"

The problems have been fixed upstream [0][1] but no release version is
available yet.


Uninstall the XML Import/Export plugin in mantisbt to avoid both


- CVE-2014-7146 (arbitrary code execution)
When importing data with the plugin, user input passed through the
"description" field (and the "issuelink" attribute) of the uploaded XML
file isn't properly sanitized before being used in a call to the
preg_replace() function which uses the 'e' modifier. This can be
exploited to inject and execute arbitrary PHP code when the
Import/Export plugin is installed.

- CVE-2014-8598 (unrestricted access, information disclosure)
The bundled XML Import/Export plugin does not perform any access level
checks in the import and export pages. This allows any user knowing the
URL to the plugin's page to insert or export any (confidential) data
without restriction, regardless of their access level.
This vulnerability is particularly dangerous when used in combination
with the one described above (CVE-2014-7146) as it makes the access
complexity very simple, allowing unauthenticated attackers to execute
arbitrary code.


A remote unauthenticated attacker knowing the URL to the plugin's page
is able to export confidential information, insert data without any
restriction or execute arbitrary code.


[0] https://github.com/mantisbt/mantisbt/commit/bed19db9
[1] https://github.com/mantisbt/mantisbt/commit/80a15487

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141112/cde013f4/attachment.bin>

More information about the arch-security mailing list