VDB
EN
HIGH

GHSA-mw6p-33vw-46cc

MantisBT: SQL Injection via history_order Configuration Value

상세

MantisBT 2.28.3 and earlier versions contains a SQL injection vulnerability in core/history_api.php. The history_order configuration value is concatenated directly into a SQL ORDER BY clause without any sanitisation, parameterization, or validation against a whitelist.

An administrator can set this configuration value via the web UI (adm_config_set.php) or the REST API (PATCH /api/rest/config). The injected SQL then executes whenever any user views a bug with history entries.

### Impact - Sensitive data extraction from the entire bugtracker database including user credentials (cookie_string, password hashes), API tokens, and private issue data - With MySQL FILE privilege: full RCE via INTO OUTFILE writing a PHP webshell to the web root - The admin plants the payload once; any authenticated user viewing a bug with history triggers the injection

### Patches - https://github.com/mantisbt/mantisbt/commit/6ad20bea2e01f33c6e4170775ae4d9dbe2c75325

### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_

### Resources - https://mantisbt.org/bugs/view.php?id=37123

### Credits McCaulay Hudson (@McCaulay) of watchTowr

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / mantisbt/mantisbt
최초 영향 버전: 0 수정 버전: 2.28.4
수정 composer require mantisbt/mantisbt:^2.28.4

참고