0023921: CVE-2018-6526: view_all_bug_page Leak path

ID	Project	Category	View Status	Date Submitted	Last Update

0023921	mantisbt	security	public	2018-02-01 22:15	2018-03-29 11:15

Reporter	foolandtom	Assigned To	dregad
Priority	low	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.11.0

Summary	0023921: CVE-2018-6526: view_all_bug_page Leak path
Description	filter Parameter receiving values can cause site path leakage url:https://mantisbt.org/bugs/view_all_bug_page.php?filter=1 file:view_all_bug_page.php
Steps To Reproduce	Leakage content: APPLICATION ERROR Argument 1 passed to filter_ensure_valid_filter() must be of the type array, string given, called in /srv/www/bugs/core/current_user_api.php on line 252 请使用浏览器的“返回”按钮来返回到上一页，这样您可以找到发生了什么问题或者进行别的操作；您也可以点击导航栏中的其它项。 url：https://mantisbt.org/bugs/view_all_bug_page.php?filter=1 Leaked path ：/srv/www/bugs/core/current_user_api.php
Additional Information	The test site is: https://mantisbt.org/bugs/view_all_bug_page.php?filter=1 Direct copy of the address after logging in
Tags	No tags attached.

foolandtom 2018-02-01 22:15 reporter	1517309582005.jpg (332,840 bytes)

atrol 2018-02-02 02:46 developer ~0058706 Last edited: 2018-02-02 02:47	Removed `version` as the problem does not occur in in 2.10.0, but just latest code from master branch. Seems to be caused by changing the error handler when introducing exceptions.

foolandtom 2018-02-02 03:46 reporter ~0058712	yes

dregad 2018-02-02 05:59 developer ~0058714	I'll push a fix shortly.

vboctor 2018-02-04 03:29 manager ~0058732	Removed fixed in version and target version so it doesn't show in changelog since this is a fix for a bug that wasn't released.

dregad 2018-03-29 11:15 developer ~0059350	Looks like someone requested a CVE for this: https://nvd.nist.gov/vuln/detail/CVE-2018-6526 Unfortunately, they provided incorrect version information to the CNA, so the CVE is listed as affecting <= 2.10.0 which is incorrect.

MantisBT: master de686a9e 2018-02-02 06:14:42 dregad Details Diff	Fix PHP error - wrong argument type Initialize $t_filter variable as array() instead of '' in current_user_get_bug_filter(), to ensure its type is correct when calling filter_ensure_valid_filter(). Fixes 0023921		Affected Issues 0023921
	mod - core/current_user_api.php		Diff File