View Issue Details

IDProjectCategoryView StatusLast Update
0023921mantisbtsecuritypublic2018-03-29 11:15
Reporterfoolandtom Assigned Todregad  
PrioritylowSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.11.0 
Summary0023921: CVE-2018-6526: view_all_bug_page Leak path
Description

filter Parameter receiving values can cause site path leakage

url:https://mantisbt.org/bugs/view_all_bug_page.php?filter=1

file:view_all_bug_page.php

Steps To Reproduce

Leakage content:

APPLICATION ERROR

Argument 1 passed to filter_ensure_valid_filter() must be of the type array, string given, called in /srv/www/bugs/core/current_user_api.php on line 252
请使用浏览器的“返回”按钮来返回到上一页,这样您可以找到发生了什么问题或者进行别的操作;您也可以点击导航栏中的其它项。

url:https://mantisbt.org/bugs/view_all_bug_page.php?filter=1

Leaked path :/srv/www/bugs/core/current_user_api.php

Additional Information

The test site is: https://mantisbt.org/bugs/view_all_bug_page.php?filter=1

Direct copy of the address after logging in

TagsNo tags attached.

Relationships

related to 0023925 closedvboctor Site path leakage in error handler 

Activities

foolandtom

foolandtom

2018-02-01 22:15

reporter  

1517309582005.jpg (332,840 bytes)
atrol

atrol

2018-02-02 02:46

developer   ~0058706

Last edited: 2018-02-02 02:47

Removed version as the problem does not occur in in 2.10.0, but just latest code from master branch.

Seems to be caused by changing the error handler when introducing exceptions.

foolandtom

foolandtom

2018-02-02 03:46

reporter   ~0058712

yes

dregad

dregad

2018-02-02 05:59

developer   ~0058714

I'll push a fix shortly.

vboctor

vboctor

2018-02-04 03:29

manager   ~0058732

Removed fixed in version and target version so it doesn't show in changelog since this is a fix for a bug that wasn't released.

dregad

dregad

2018-03-29 11:15

developer   ~0059350

Looks like someone requested a CVE for this: https://nvd.nist.gov/vuln/detail/CVE-2018-6526

Unfortunately, they provided incorrect version information to the CNA, so the CVE is listed as affecting <= 2.10.0 which is incorrect.

Related Changesets

MantisBT: master de686a9e

2018-02-02 06:14:42

dregad

Details Diff
Fix PHP error - wrong argument type

Initialize $t_filter variable as array() instead of '' in
current_user_get_bug_filter(), to ensure its type is correct when
calling filter_ensure_valid_filter().

Fixes 0023921
Affected Issues
0023921
mod - core/current_user_api.php Diff File