[Secure-testing-team] Re: Bug#335938: mantis: Mantis 't_core_path' File Inclusion Vulnerability

Thijs Kinkhorst kink at squirrelmail.org
Mon Oct 31 20:30:19 UTC 2005 

On Mon, 2005-10-31 at 17:22 +0100, Moritz Muehlenhoff wrote:
> It's hard to tell, whether it's the same issue as #5959 is non-public, but at
> least there are two different CVE mappings. (CVE-2005-2557 and CVE-2005-3337).
> But it might very well be that the CVE description is wrong, as all these mantis
> issues are really confusing.

> So #5959 probably refers to this hunk from the interdiff from the latest mantis
> DSA. (I'm not 100% sure as #6002 is non-public as well and I don't know the
> mantis code in detail):
> 
> --- mantis-0.19.2.orig/bug_actiongroup_page.php
> +++ mantis-0.19.2/bug_actiongroup_page.php
> @@ -114,7 +114,7 @@
>  foreach( $f_bug_arr as $t_bug_id ) {
>         $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
>         $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td> </tr>\n"
> -               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' )
> +               , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), htmlentities(bug_get_field( $t_bug_id, 'summary' ))
>      );
>         echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '" />' . "\n";
>  }
> 
> This would mean that they didn't pull over this security fix into 0.19.3 and in fact it
> is unfixed in sid's 0.19.3 package as well.

This actually _is_ fixed in sid, but upstream fixed it differently from
the previous Debian fix: instead of htmlentities() they used
string_attribute() there which essentially does a htmlspecialchars().

> The other XSS issues from the DSA are fixed in the sid version.

> This hunk from the mantis DSA (#5956 and again non-public, CVE-2005-2556) is also unfixed
> in sid (or has an alternate fix been applied?)
> 
> diff -u mantis-0.19.2/core/database_api.php mantis-0.19.2/core/database_api.php
> --- mantis-0.19.2/core/database_api.php
> +++ mantis-0.19.2/core/database_api.php
> @@ -6,9 +6,16 @@
> 
> +       #
> +       # Patch for #0005956: Database system scanner via variable poisoning
> +       #
> +
> +       if (isset($_REQUEST["g_db_type"]))
> +               die("");
> +
>         ### Database ###

I don't know why you think this patch is not applied in sid, since this
code is exactly in the sid version, including that comment with the bug
number.

Concluding, I think current sid covers all of the previous DSA.


regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051031/e573485d/attachment.pgp

More information about the Secure-testing-team mailing list