CVE-2014-7146
published 2014-11-18CVE-2014-7146: The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2)…
PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.56%
98.8th percentile
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mantisbt | mantisbt | <= 1.2.17 | — |
| mantisbt | mantisbt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to plugin.php?page=XmlImportExport/import_action containing multipart XML file uploads; the payload embeds PHP code execution via preg_replace /e modifier in the description field or issuelink attribute. ↗
- →Look for the pattern `{${eval(base64_decode(...))}}` inside uploaded XML files or POST bodies to plugin.php, indicating PHP code injection via the preg_replace /e exploit technique. ↗
- →Detect unauthenticated or low-privilege access to the XmlImportExport import/export pages; the plugin does not perform access level checks, making exploitation possible even with anonymous users. ↗
- →Alert on phpinfo() responses from MantisBT endpoints, as the Metasploit module checks for exploitation success by calling phpinfo() and matching 'This program makes use of the Zend' in the response body. ↗
- →Flag XML file uploads to MantisBT where the description field or issuelink attribute contains PHP-executable expressions, consistent with preg_replace /e modifier abuse. ↗
- ·Exploitation requires the XmlImportExport plugin to be installed; instances without this plugin are not affected. ↗
- ·The vulnerability is exploitable by any authenticated user, and even anonymously if anonymous access is enabled, due to missing access-level checks on the import page. ↗
- ·Affected versions are 1.2.0a3 through 1.2.17 inclusive; version 1.2.18 contains the upstream fix. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-chwc-r8cr-3fff: The XML Import/Export plugin in MantisBT 1
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2014-8598 [HIGH] GHSA-chwc-r8cr-3fff: The XML Import/Export plugin in MantisBT 1
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.
GHSA
GHSA-7fwg-rf8j-m3gv: The XmlImportExport plugin in MantisBT 1
ghsa_unreviewed·2022-05-17
CVE-2014-7146 [HIGH] CWE-20 GHSA-7fwg-rf8j-m3gv: The XmlImportExport plugin in MantisBT 1
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.
No detection rules found.
Exploit-DB
Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (2)
exploitdb·2014-11-18
CVE-2014-7146 Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (2)
Mantis Bug Tracker 1.2.0a3 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
'Description' => %q{
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Egidio Romano', # discovery http://karmainsecurity.com
'Juan Escobar ', # module development @itsecurityco
],
'References' =>
[
['CVE', '2014-7146']
],
'Platform'
Exploit-DB
Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (1)
exploitdb·2014-11-18
CVE-2014-8598 Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (1)
Mantis Bug Tracker 1.2.0a3 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability',
'Description' => %q{
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine.
This version also suffers from another issue. The import page is not checking the correct user level
of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
Metasploit
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
metasploit
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed. The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier. This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine. This version also suffers from another issue. The import page is not checking the correct user level of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.
Bugzilla
CVE-2014-7146 CVE-2014-8598 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release
bugzilla·2014-11-10·CVSS 7.5
CVE-2014-7146 [HIGH] CVE-2014-7146 CVE-2014-8598 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release
CVE-2014-7146 CVE-2014-8598 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release
CVE-2014-7146 was assigned to the following issue:
""
When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
""
CVE-2014-8598 was assigned to the following issues:
""
The XML Import/Export "official" plugin (i.e. bundled with MantisBT releases) currently does not perform any access level checks in the import and export pages. This leads to the following vulnerabilit
Bugzilla
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [fedora-all]
bugzilla·2014-11-10·CVSS 7.5
CVE-2014-8598 [HIGH] CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [fedora-all]
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NO
Bugzilla
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [epel-5]
bugzilla·2014-11-10·CVSS 7.5
CVE-2014-8598 [HIGH] CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [epel-5]
CVE-2014-8598 CVE-2014-7146 mantis: issues in the XML Import/Export plug-in to be fixed in the upcoming 1.2.18 release [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
e
http://seclists.org/oss-sec/2014/q4/576http://secunia.com/advisories/62101http://www.debian.org/security/2015/dsa-3120http://www.mantisbt.org/bugs/view.php?id=17725http://www.securityfocus.com/bid/70993https://exchange.xforce.ibmcloud.com/vulnerabilities/98572https://github.com/mantisbt/mantisbt/commit/84017535https://github.com/mantisbt/mantisbt/commit/bed19db9http://seclists.org/oss-sec/2014/q4/576http://secunia.com/advisories/62101http://www.debian.org/security/2015/dsa-3120http://www.mantisbt.org/bugs/view.php?id=17725http://www.securityfocus.com/bid/70993https://exchange.xforce.ibmcloud.com/vulnerabilities/98572https://github.com/mantisbt/mantisbt/commit/84017535https://github.com/mantisbt/mantisbt/commit/bed19db9
2014-11-18
Published