Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 603
Alerts This Week
Warning Icon 1 603

Arch Linux: ASA-201411-3 Critical: MantisBT SQL Injection Issue

Archlinux Large Esm H446
The package mantisbt before version 1.2.17-3 is vulnerable to SQL injection.
Arch Linux Security Advisory ASA-201411-3
========================================
Severity: Critical
Date    : 2014-11-05
CVE-ID  : CVE-2014-8554
Package : mantisbt
Type    : sql injection
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package mantisbt before version 1.2.17-3 is vulnerable to SQL injection.

Resolution
=========
Upgrade to 1.2.17-3.

# pacman -Syu "mantisbt>=1.2.17-3"

The problem has been fixed upstream [0] but no release version is
available yet.

Workaround
=========
None.

Description
==========
Edwin Gozeling and Wim Visser discovered that when the project_id
parameter of the SOAP-request starts with the integer of a project to
which the user (or anonymous) is authorized, the ENTIRE value will
become the first item of $t_projects. As this value is concatenated in
the SQL statement, SQL-injection becomes possible.

Impact
=====
A remote attacker is able to perform SQL injection via specially crafted
SOAP-requests. Depending on the configuration this can be escalated to
code execution.

References
=========
[0] https://github.com/mantisbt/mantisbt/commit/99ffb0af
https://access.redhat.com/security/cve/CVE-2014-8554
https://seclists.org/oss-sec/2014/q4/478
https://bugs.archlinux.org/task/42683