Attachment #68207 for bug #103308

View | Details | Raw Unified | Return to bug 103308
Collapse All | Expand All




++ mantis-0.19.2/login_page.php

		}
	}

#	# Check if the admin directory is available and is readable.
#	$t_admin_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'admin' . DIRECTORY_SEPARATOR;
#	if ( is_dir( $t_admin_dir ) && is_readable( $t_admin_dir ) ) {
#			echo '<div class="warning" align="center">', "\n";
#			echo '<p><font color="red"><strong>WARNING:</strong> Admin directory should be removed.</font></p>', "\n";
#			echo '</div>', "\n";
#	}
?>

<!-- Autofocus JS -->
++ mantis-0.19.2/core/database_api.php

	# See the README and LICENSE files for details

	# --------------------------------------------------------
	# $Id: database_api.php,v 1.5.2.1 2005/08/16 21:38:27 bengen Exp $
	# --------------------------------------------------------

	#
	# Patch for #0005956: Database system scanner via variable poisoning
	#

	if (isset($_REQUEST["g_db_type"]))
		die("");

	### Database ###

	# This is the general interface for all database calls.
++ mantis-0.19.2/core/filter_api.php

?> 

		<br />
		<form method="post" name="filters" action="<?php PRINT htmlentities($t_action); ?>">
		<input type="hidden" name="type" value="5" />
		<?php
			if ( $p_for_screen == false ) {

				PRINT '<input type="hidden" name="offset" value="0" />';
			}
		?>
		<input type="hidden" name="sort" value="<?php PRINT htmlentities($t_sort) ?>" />
		<input type="hidden" name="dir" value="<?php PRINT htmlentities($t_dir) ?>" />
		<input type="hidden" name="page_number" value="<?php PRINT htmlentities($p_page_number) ?>" />
		<input type="hidden" name="view_type" value="<?php PRINT htmlentities($t_view_type) ?>" />
		<table class="width100" cellspacing="1">
		
		<?php
++ mantis-0.19.2/debian/changelog

mantis (0.19.2-4) stable-security; urgency=HIGH

  * Maintainer upload for the security team
  * Fixes CAN-2005-2556
    - Mantis bug#0005956: Fixes "Database system scanner via variable
      poisoning" vulnerability
  * Fixes CAN-2005-2557
    - Mantis bug#0005959: Fixes cross-site-scripting vulnerability in
      view_all_set.php
    - Mantis bug#0006002: Fixes cross-site-scripting vulnerability in
      view_all_bug_page.php
  * Thanks to Joxean Koret <joxeankoret@yahoo.es> for pointing these
    issues out. Thanks to Glenn Henshaw <thraxisp4@mac.com> for providing
    detailed information by sending the BTS entries per mail
    
    Unfortunately, to my knowledge, upstream developers have neither made
    those entries publicly available nor issued warnings after fixing the
    bugs.

 -- Hilko Bengen <bengen@debian.org>  Tue, 16 Aug 2005 23:37:04 +0200

Return to bug 103308

Line Link Here

(-)file_not_specified_in_diff (-17 / +44 lines)
0	-- mantis-0.19.2.orig/login_page.php	0	++ mantis-0.19.2/login_page.php
Lines 139-151 Link Here
139	}	139	}
140	}	140	}
141		141
142	# Check if the admin directory is available and is readable.	142	# # Check if the admin directory is available and is readable.
143	$t_admin_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'admin' . DIRECTORY_SEPARATOR;	143	# $t_admin_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'admin' . DIRECTORY_SEPARATOR;
144	if ( is_dir( $t_admin_dir ) && is_readable( $t_admin_dir ) ) {	144	# if ( is_dir( $t_admin_dir ) && is_readable( $t_admin_dir ) ) {
145	echo '<div class="warning" align="center">', "\n";	145	# echo '<div class="warning" align="center">', "\n";
146	echo '<p><font color="red"><strong>WARNING:</strong> Admin directory should be removed.</font></p>', "\n";	146	# echo '<p><font color="red"><strong>WARNING:</strong> Admin directory should be removed.</font></p>', "\n";
147	echo '</div>', "\n";	147	# echo '</div>', "\n";
148	}	148	# }
149	?>	149	?>
150		150
151	<!-- Autofocus JS -->	151	<!-- Autofocus JS -->
152	-- mantis-0.19.2.orig/core/database_api.php	152	++ mantis-0.19.2/core/database_api.php
Lines 6-14 Link Here
6	# See the README and LICENSE files for details	6	# See the README and LICENSE files for details
7		7
8	# --------------------------------------------------------	8	# --------------------------------------------------------
9	# $Id: database_api.php,v 1.38 2004/12/09 18:55:06 thraxisp Exp $	9	# $Id: database_api.php,v 1.5.2.1 2005/08/16 21:38:27 bengen Exp $
10	# --------------------------------------------------------	10	# --------------------------------------------------------
11		11
		12	#
		13	# Patch for #0005956: Database system scanner via variable poisoning
		14	#
		15
		16	if (isset($_REQUEST["g_db_type"]))
		17	die("");
		18
12	### Database ###	19	### Database ###
13		20
14	# This is the general interface for all database calls.	21	# This is the general interface for all database calls.
15	-- mantis-0.19.2.orig/core/filter_api.php	22	++ mantis-0.19.2/core/filter_api.php
Lines 753-759 Link Here
753	?>	753	?>
754		754
755	<br />	755	<br />
756	<form method="post" name="filters" action="<?php PRINT $t_action; ?>">	756	<form method="post" name="filters" action="<?php PRINT htmlentities($t_action); ?>">
757	<input type="hidden" name="type" value="5" />	757	<input type="hidden" name="type" value="5" />
758	<?php	758	<?php
759	if ( $p_for_screen == false ) {	759	if ( $p_for_screen == false ) {
Lines 761-770 Link Here
761	PRINT '<input type="hidden" name="offset" value="0" />';	761	PRINT '<input type="hidden" name="offset" value="0" />';
762	}	762	}
763	?>	763	?>
764	<input type="hidden" name="sort" value="<?php PRINT $t_sort ?>" />	764	<input type="hidden" name="sort" value="<?php PRINT htmlentities($t_sort) ?>" />
765	<input type="hidden" name="dir" value="<?php PRINT $t_dir ?>" />	765	<input type="hidden" name="dir" value="<?php PRINT htmlentities($t_dir) ?>" />
766	<input type="hidden" name="page_number" value="<?php PRINT $p_page_number ?>" />	766	<input type="hidden" name="page_number" value="<?php PRINT htmlentities($p_page_number) ?>" />
767	<input type="hidden" name="view_type" value="<?php PRINT $t_view_type ?>" />	767	<input type="hidden" name="view_type" value="<?php PRINT htmlentities($t_view_type) ?>" />
768	<table class="width100" cellspacing="1">	768	<table class="width100" cellspacing="1">
769		769
770	<?php	770	<?php
771	-- mantis-0.19.2.orig/debian/changelog	771	++ mantis-0.19.2/debian/changelog
Line 0 Link Here
		1	mantis (0.19.2-4) stable-security; urgency=HIGH
		2
		3	* Maintainer upload for the security team
		4	* Fixes CAN-2005-2556
		5	- Mantis bug#0005956: Fixes "Database system scanner via variable
		6	poisoning" vulnerability
		7	* Fixes CAN-2005-2557
		8	- Mantis bug#0005959: Fixes cross-site-scripting vulnerability in
		9	view_all_set.php
		10	- Mantis bug#0006002: Fixes cross-site-scripting vulnerability in
		11	view_all_bug_page.php
		12	* Thanks to Joxean Koret <joxeankoret@yahoo.es> for pointing these
		13	issues out. Thanks to Glenn Henshaw <thraxisp4@mac.com> for providing
		14	detailed information by sending the BTS entries per mail
		15
		16	Unfortunately, to my knowledge, upstream developers have neither made
		17	those entries publicly available nor issued warnings after fixing the
		18	bugs.
		19
		20	-- Hilko Bengen <bengen@debian.org> Tue, 16 Aug 2005 23:37:04 +0200