SECUNIA ADVISORY ID: SA32314

VERIFY ADVISORY: http://secunia.com/advisories/32314/

CRITICAL: Moderately critical

IMPACT: System access

SOFTWARE: Mantis 1.x: http://secunia.com/advisories/product/5571/

DESCRIPTION: EgiX has discovered a vulnerability in Mantis, which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is confirmed in version 1.1.2 and reported in version 1.1.3. Other versions may also be affected.

Input passed to the "sort" parameter in manage_proj_page.php is not properly sanitised before being used in a "create_function()" call. This can be exploited to execute arbitrary PHP code. Successful exploitation requires valid user credentials.

SOLUTION: Restrict access to manage_proj_page.php (e.g. with ".htaccess").

PROVIDED AND/OR DISCOVERED BY: EgiX

ORIGINAL ADVISORY: http://milw0rm.com/exploits/6768