Hi team, A security update is needed for current mantis stable version (1.1.8+dfsg-10). (The CVE is not yet published) I have prepared new version (1.1.8+dfsg-10squeeze1). A multiple XSS/LFI and remote arbitrary code execution vulnerabilites have been discovered which will work against all 1.2.x releases of MantisBT 1) XSS injection via PHP_SELF 2) LFI and XSS via bug_actiongroup pages 3) XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php Details of these vulnerabilities are provided at [1], [2] and [3]. CVE requests have been submitted to the oss-security mailing list as per [1]. *About debian versions* mantis | 1.2.6-1 | wheezy mantis | 1.2.7-1 | sid 1.2.7-1 includes all needed fixes for these vulnerabilites. wheezy update is ongoing and tomorrow will be completed. mantis | 1.1.8+dfsg-10 | squeeze Is only affected by 2) LFI and XSS via bug_actiongroup pages mantis | 1.1.6+dfsg-2lenny4 | lenny Is only affected by 1) XSS injection via PHP_SELF I've just prepared the new security package (mantis_1.1.8+dfsg-10squeeze1) and your revision and confirmation to upload is needed. A debdiff file is attached to this message. Now I'm working in 1.1.6 security version to solved these issues, in colaboration with MantisBT Team. Within a few days I will send the security update for old-stable. Please advise if assistance is required or you need more information. Thanks in advance for your time. Best regards, Sils [1] http://www.openwall.com/lists/oss-security/2011/09/04/1 [2] http://www.mantisbt.org/bugs/view.php?id=13191 [3] http://www.mantisbt.org/bugs/view.php?id=13281 PS: please cc me, I'm not in debian-security list.
diff -Nru mantis-1.1.8+dfsg/debian/changelog mantis-1.1.8+dfsg/debian/changelog --- mantis-1.1.8+dfsg/debian/changelog 2010-10-31 17:10:10.000000000 +0100 +++ mantis-1.1.8+dfsg/debian/changelog 2011-09-08 01:52:21.000000000 +0200 @@ -1,3 +1,17 @@ +mantis (1.1.8+dfsg-10squeeze1) stable-security; urgency=high + + * Urgency high: Fixes critical LFI/XSS vulnerabilites (BTS #640297) + 1) XSS injection via PHP_SELF : not affected + 2) LFI and XSS via bug_actiongroup pages: fixed + 3) Projax XSS issues with unescaped parameters: not affected + * debian/patches: + + added: Multiple vulnerabilities (LFI/XSS injection) + Thanks to David Hicks, MantisBT developer. + 11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff + 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff + + -- Silvia Alvarez <sils@powered-by-linux.com> Tue, 06 Sep 2011 08:33:40 +0200 + mantis (1.1.8+dfsg-10) unstable; urgency=low * debian/po/vi.po: Updated. (Closes: #601930) diff -Nru mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff --- mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff 1970-01-01 01:00:00.000000000 +0100 +++ mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff 2011-09-08 01:52:21.000000000 +0200 @@ -0,0 +1,295 @@ +# +# Description: LFI and XSS via group actions 1 +# Implements checking to see which options are available +# to the user for the issues which are currently shown on +# view bug pages. Options are only displayed in the +# dropdown list if the user is able to use the option on at +# least one of the bugs displayed. +# Author: David Hicks <d@hx.id.au> +# Bug: http://www.mantisbt.org/bugs/view.php?id=13281 +# Last-Update: 2011-09-05 +# +Index: mantis/core/columns_api.php +=================================================================== +--- mantis.orig/core/columns_api.php 2011-09-06 07:43:27.409465292 +0200 ++++ mantis/core/columns_api.php 2011-09-06 07:43:59.402065926 +0200 +@@ -383,11 +383,23 @@ + # $p_columns_target: see COLUMNS_TARGET_* in constant_inc.php + function print_column_selection( $p_row, $p_columns_target = COLUMNS_TARGET_VIEW_PAGE ) { + if ( $p_columns_target != COLUMNS_TARGET_CSV_PAGE ) { +- global $t_checkboxes_exist, $t_update_bug_threshold; +- ++ global $g_checkboxes_exist; + echo '<td>'; +- if ( access_has_bug_level( $t_update_bug_threshold, $p_row['id'] ) ) { +- $t_checkboxes_exist = true; ++ if( access_has_any_project( config_get( 'report_bug_threshold', null, null, $p_bug->project_id ) ) || ++ # !TODO: check if any other projects actually exist for the bug to be moved to ++ access_has_project_level( config_get( 'move_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ # !TODO: factor in $g_auto_set_status_to_assigned == ON ++ access_has_project_level( config_get( 'update_bug_assign_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ access_has_project_level( config_get( 'delete_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ # !TODO: check to see if the bug actually has any different selectable workflow states ++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ access_has_project_level( config_get( 'set_bug_sticky_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ access_has_project_level( config_get( 'change_view_status_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ access_has_project_level( config_get( 'add_bugnote_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ access_has_project_level( config_get( 'tag_attach_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) || ++ access_has_project_level( config_get( 'roadmap_update_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ) { ++ $g_checkboxes_exist = true; + printf( "<input type=\"checkbox\" name=\"bug_arr[]\" value=\"%d\" />" , $p_row['id'] ); + } else { + echo " "; +Index: mantis/core/print_api.php +=================================================================== +--- mantis.orig/core/print_api.php 2011-09-06 07:43:59.330064579 +0200 ++++ mantis/core/print_api.php 2011-09-06 07:43:59.406066005 +0200 +@@ -28,6 +28,7 @@ + require_once( $t_core_dir . 'prepare_api.php' ); + require_once( $t_core_dir . 'profile_api.php' ); + require_once( $t_core_dir . 'last_visited_api.php' ); ++ require_once( $t_core_dir . 'bug_group_action_api.php' ); + + ### Print API ### + +@@ -1001,67 +1002,20 @@ + } # end for + } + # -------------------- +- # @@@ preliminary support for multiple bug actions. +- function print_all_bug_action_option_list() { +- $commands = array( 'MOVE' => lang_get('actiongroup_menu_move'), +- 'COPY' => lang_get('actiongroup_menu_copy'), +- 'ASSIGN' => lang_get('actiongroup_menu_assign'), +- 'CLOSE' => lang_get('actiongroup_menu_close'), +- 'DELETE' => lang_get('actiongroup_menu_delete'), +- 'RESOLVE' => lang_get('actiongroup_menu_resolve'), +- 'SET_STICKY' => lang_get( 'actiongroup_menu_set_sticky' ), +- 'UP_PRIOR' => lang_get('actiongroup_menu_update_priority'), +- 'UP_STATUS' => lang_get('actiongroup_menu_update_status'), +- 'UP_CATEGORY' => lang_get('actiongroup_menu_update_category'), +- 'VIEW_STATUS' => lang_get( 'actiongroup_menu_update_view_status' ), +- 'EXT_ADD_NOTE' => lang_get( 'actiongroup_menu_add_note' ), +- 'EXT_ATTACH_TAGS' => lang_get( 'actiongroup_menu_attach_tags' ), +- ); +- +- $t_project_id = helper_get_current_project(); +- +- if ( ALL_PROJECTS != $t_project_id ) { +- $t_user_id = auth_get_current_user_id(); +- +- if ( access_has_project_level( config_get( 'update_bug_threshold' ), $t_project_id ) ) { +- $commands['UP_FIXED_IN_VERSION'] = lang_get( 'actiongroup_menu_update_fixed_in_version' ); +- } +- +- if ( access_has_project_level( config_get( 'roadmap_update_threshold' ), $t_project_id ) ) { +- $commands['UP_TARGET_VERSION'] = lang_get( 'actiongroup_menu_update_target_version' ); +- } +- +- $t_custom_field_ids = custom_field_get_linked_ids( $t_project_id ); +- +- foreach( $t_custom_field_ids as $t_custom_field_id ) { +- # if user has not access right to modify the field, then there is no +- # point in showing it. +- if ( !custom_field_has_write_access_to_project( $t_custom_field_id, $t_project_id, $t_user_id ) ) { +- continue; +- } +- +- $t_custom_field_def = custom_field_get_definition( $t_custom_field_id ); +- $t_command_id = 'custom_field_' . $t_custom_field_id; +- $t_command_caption = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) ); +- $commands[$t_command_id] = string_display( $t_command_caption ); +- } ++ /** ++ * Print a dropdown list of all bug actions available to a user for a specified ++ * set of projects. ++ * @param array $p_projects An array containing one or more project IDs ++ * @return null ++ */ ++ function print_all_bug_action_option_list( $p_project_ids = null ) { ++ $t_commands = bug_group_action_get_commands( $p_project_ids); ++ while( list( $t_action_id, $t_action_label ) = each( $t_commands ) ) { ++ echo '<option value="' . $t_action_id . '">' . $t_action_label . '</option>'; + } ++ } + +- $t_custom_group_actions = config_get( 'custom_group_actions' ); +- +- foreach( $t_custom_group_actions as $t_custom_group_action ) { +- # use label if provided to get the localized text, otherwise fallback to action name. +- if ( isset( $t_custom_group_action['label'] ) ) { +- $commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['label'] ); +- } else { +- $commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['action'] ); +- } +- } + +- while (list ($key,$val) = each ($commands)) { +- PRINT "<option value=\"".$key."\">".$val."</option>"; +- } +- } + # -------------------- + # list of users that are NOT in the specified project and that are enabled + # if no project is specified use the current project +Index: mantis/core/bug_group_action_api.php +=================================================================== +--- mantis.orig/core/bug_group_action_api.php 2011-09-06 07:43:27.425465594 +0200 ++++ mantis/core/bug_group_action_api.php 2011-09-06 07:45:24.127656147 +0200 +@@ -151,4 +151,126 @@ + $t_function_name = 'action_' . $p_action . '_process'; + return $t_function_name( $p_bug_id ); + } ++ ++/** ++ * Get a list of bug group actions available to the current user for one or ++ * more projects. ++ * @param array $p_projects An array containing one or more project IDs ++ * @return null ++ */ ++function bug_group_action_get_commands( $p_project_ids = null ) { ++ if ( $p_project_ids === null || count( $p_project_ids ) == 0 ) { ++ $p_project_ids = array( ALL_PROJECTS ); ++ } ++ ++ $t_commands = array(); ++ foreach( $p_project_ids as $t_project_id ) { ++ ++ if( !isset( $t_commands['MOVE'] ) && ++ access_has_project_level( config_get( 'move_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['MOVE'] = lang_get( 'actiongroup_menu_move' ); ++ } ++ ++ if( !isset( $t_commands['COPY'] ) && ++ access_has_any_project( config_get( 'report_bug_threshold', null, null, $t_project_id ) ) ) { ++ $t_commands['COPY'] = lang_get( 'actiongroup_menu_copy' ); ++ } ++ ++ if( !isset( $t_commands['ASSIGN'] ) && ++ access_has_project_level( config_get( 'update_bug_assign_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ if( ON == config_get( 'auto_set_status_to_assigned', null, null, $t_project_id ) && ++ access_has_project_level( access_get_status_threshold( config_get( 'bug_assigned_status', null, null, $t_project_id ), $t_project_id ), $t_project_id ) ) { ++ $t_commands['ASSIGN'] = lang_get( 'actiongroup_menu_assign' ); ++ } else { ++ $t_commands['ASSIGN'] = lang_get( 'actiongroup_menu_assign' ); ++ } ++ } ++ ++ if( !isset( $t_commands['CLOSE'] ) && ++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) && ++ access_has_project_level( config_get( 'allow_reporter_close', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['CLOSE'] = lang_get( 'actiongroup_menu_close' ); ++ } ++ ++ if( !isset( $t_commands['DELETE'] ) && ++ access_has_project_level( config_get( 'delete_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['DELETE'] = lang_get( 'actiongroup_menu_delete' ); ++ } ++ ++ if( !isset( $t_commands['RESOLVE'] ) && ++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) && ++ access_has_project_level( access_get_status_threshold( config_get( 'bug_resolved_status_threshold', null, null, $t_project_id ), $t_project_id ), $t_project_id ) ) { ++ $t_commands['RESOLVE'] = lang_get( 'actiongroup_menu_resolve' ); ++ } ++ ++ if( !isset( $t_commands['SET_STICKY'] ) && ++ access_has_project_level( config_get( 'set_bug_sticky_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['SET_STICKY'] = lang_get( 'actiongroup_menu_set_sticky' ); ++ } ++ ++ if( !isset( $t_commands['UP_PRIOR'] ) && ++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['UP_PRIOR'] = lang_get( 'actiongroup_menu_update_priority' ); ++ } ++ ++ if( !isset( $t_commands['UP_STATUS'] ) && ++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['UP_STATUS'] = lang_get( 'actiongroup_menu_update_status' ); ++ } ++ ++ if( !isset( $t_commands['UP_CATEGORY'] ) && ++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['UP_CATEGORY'] = lang_get( 'actiongroup_menu_update_category' ); ++ } ++ ++ if( !isset( $t_commands['VIEW_STATUS'] ) && ++ access_has_project_level( config_get( 'change_view_status_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['VIEW_STATUS'] = lang_get( 'actiongroup_menu_update_view_status' ); ++ } ++ ++ if( !isset( $t_commands['EXT_ADD_NOTE'] ) && ++ access_has_project_level( config_get( 'add_bugnote_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['EXT_ADD_NOTE'] = lang_get( 'actiongroup_menu_add_note' ); ++ } ++ ++ if( !isset( $t_commands['EXT_ATTACH_TAGS'] ) && ++ access_has_project_level( config_get( 'tag_attach_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['EXT_ATTACH_TAGS'] = lang_get( 'actiongroup_menu_attach_tags' ); ++ } ++ ++ if( !isset( $t_commands['UP_FIXED_IN_VERSION'] ) && ++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['UP_FIXED_IN_VERSION'] = lang_get( 'actiongroup_menu_update_fixed_in_version' ); ++ } ++ ++ if( !isset( $t_commands['UP_TARGET_VERSION'] ) && ++ access_has_project_level( config_get( 'roadmap_update_threshold', null, null, $t_project_id ), $t_project_id ) ) { ++ $t_commands['UP_TARGET_VERSION'] = lang_get( 'actiongroup_menu_update_target_version' ); ++ } ++ ++ $t_custom_field_ids = custom_field_get_linked_ids( $t_project_id ); ++ foreach( $t_custom_field_ids as $t_custom_field_id ) { ++ if( !custom_field_has_write_access_to_project( $t_custom_field_id, $t_project_id ) ) { ++ continue; ++ } ++ $t_custom_field_def = custom_field_get_definition( $t_custom_field_id ); ++ $t_command_id = 'custom_field_' . $t_custom_field_id; ++ $t_command_caption = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) ); ++ $t_commands[$t_command_id] = string_display( $t_command_caption ); ++ } ++ } ++ ++ $t_custom_group_actions = config_get( 'custom_group_actions' ); ++ ++ foreach( $t_custom_group_actions as $t_custom_group_action ) { ++ # use label if provided to get the localized text, otherwise fallback to action name. ++ if( isset( $t_custom_group_action['label'] ) ) { ++ $t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['label'] ); ++ } else { ++ $t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['action'] ); ++ } ++ } ++ ++ return $t_commands; ++} + ?> +Index: mantis/view_all_inc.php +=================================================================== +--- mantis.orig/view_all_inc.php 2011-09-06 07:43:27.437465819 +0200 ++++ mantis/view_all_inc.php 2011-09-06 07:43:59.406066005 +0200 +@@ -38,10 +38,9 @@ + list( $t_dir, ) = split( ',', $t_filter['dir'] ); + } + +- $t_checkboxes_exist = false; ++ $g_checkboxes_exist = false; + + $t_icon_path = config_get( 'icon_path' ); +- $t_update_bug_threshold = config_get( 'update_bug_threshold' ); + + $t_columns = helper_get_columns_to_view( COLUMNS_TARGET_VIEW_PAGE ); + +@@ -186,11 +185,11 @@ + <tr> + <td class="left" colspan="<?php echo $col_count-2; ?>"> + <?php +- if ( $t_checkboxes_exist && ON == config_get( 'use_javascript' ) ) { ++ if ( $g_checkboxes_exist && ON == config_get( 'use_javascript' ) ) { + echo "<input type=\"checkbox\" name=\"all_bugs\" value=\"all\" onclick=\"checkall('bug_action', this.form.all_bugs.checked)\" /><span class=\"small\">" . lang_get( 'select_all' ) . '</span>'; + } + +- if ( $t_checkboxes_exist ) { ++ if ( $g_checkboxes_exist ) { + ?> + <select name="action"> + <?php print_all_bug_action_option_list() ?> diff -Nru mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff --- mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff 1970-01-01 01:00:00.000000000 +0100 +++ mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff 2011-09-08 01:52:21.000000000 +0200 @@ -0,0 +1,158 @@ +# +# Description: LFI and XSS via group actions 2 +# Rework the bug action group api to convert this to an object +# and to validate calls to require once. +# This leads to a security issue identified by IBM Appscan +# program, whereby calls to require_once are not validated. +# From: https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d +# Bug: http://www.mantisbt.org/bugs/view.php?id=13281 +# Last-Update: 2011-09-05 +# +Index: mantis/bug_actiongroup_ext.php +=================================================================== +--- mantis.orig/bug_actiongroup_ext.php 2011-09-07 22:57:53.597258693 +0200 ++++ mantis/bug_actiongroup_ext.php 2011-09-07 23:00:18.627936560 +0200 +@@ -37,9 +37,10 @@ + $f_action = gpc_get_string( 'action' ); + $f_bug_arr = gpc_get_int_array( 'bug_arr', array() ); + +- $t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php'; ++ $t_form_name = 'bug_actiongroup_' . $f_action; ++ + +- require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file ); ++ bug_group_action_init( $f_action ); + + # group bugs by project + $t_projects_bugs = array(); +Index: mantis/bug_actiongroup_ext_page.php +=================================================================== +--- mantis.orig/bug_actiongroup_ext_page.php 2011-09-07 22:57:53.605258836 +0200 ++++ mantis/bug_actiongroup_ext_page.php 2011-09-07 23:01:07.460837898 +0200 +@@ -25,25 +25,11 @@ + + require_once( $t_core_path.'bug_group_action_api.php' ); + +- auth_ensure_user_authenticated(); +- +- $f_action = gpc_get_string( 'action' ); +- $f_bug_arr = gpc_get_int_array( 'bug_arr', array() ); +- +- # redirect to view issues if nothing is selected +- if ( is_blank( $f_action ) || ( 0 == sizeof( $f_bug_arr ) ) ) { +- print_header_redirect( 'view_all_bug_page.php' ); +- } +- +- # redirect to view issues page if action doesn't have ext_* prefix. +- # This should only occur if this page is called directly. +- $t_external_action_prefix = 'EXT_'; +- if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) { +- print_header_redirect( 'view_all_bug_page.php' ); +- } + + $t_external_action = strtolower( substr( $f_action, strlen( $t_external_action_prefix ) ) ); +- $t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php'; ++ $t_form_name = 'bug_actiongroup_' . $t_external_action; ++ ++ bug_group_action_init( $t_external_action ); + + bug_group_action_print_top(); + ?> +@@ -53,7 +39,6 @@ + <div align="center"> + <form method="post" action="bug_actiongroup_ext.php"> + <input type="hidden" name="action" value="<?php echo string_attribute( $t_external_action ) ?>" /> +- <input type="hidden" name="action" value="<?php echo string_attribute( $t_external_action ) ?>" /> + <table class="width75" cellspacing="1"> + <?php + bug_group_action_print_title( $t_external_action ); +Index: mantis/bug_actiongroup_page.php +=================================================================== +--- mantis.orig/bug_actiongroup_page.php 2011-09-07 22:57:53.613258990 +0200 ++++ mantis/bug_actiongroup_page.php 2011-09-07 23:00:18.627936560 +0200 +@@ -41,6 +41,8 @@ + # run through the issues to see if they are all from one project + $t_project_id = ALL_PROJECTS; + $t_multiple_projects = false; ++ $t_projects = array(); ++ + foreach( $f_bug_arr as $t_bug_id ) { + $t_bug = bug_get( $t_bug_id ); + if ( $t_project_id != $t_bug->project_id ) { +@@ -48,11 +50,13 @@ + $t_multiple_projects = true; + } else { + $t_project_id = $t_bug->project_id; ++ $t_projects[$t_project_id] = $t_project_id; + } + } + } + if ( $t_multiple_projects ) { + $t_project_id = ALL_PROJECTS; ++ $t_projects[ALL_PROJECTS] = ALL_PROJECTS; + } + # override the project if necessary + if( $t_project_id != helper_get_current_project() ) { +Index: mantis/core/bug_group_action_api.php +=================================================================== +--- mantis.orig/core/bug_group_action_api.php 2011-09-07 23:00:18.615936333 +0200 ++++ mantis/core/bug_group_action_api.php 2011-09-07 23:00:18.627936560 +0200 +@@ -22,6 +22,26 @@ + # -------------------------------------------------------- + ?> + <?php ++ ++ /** ++ * Initialise bug action group api ++ */ ++ function bug_group_action_init( $p_action ) { ++ $t_valid_actions = bug_group_action_get_commands( current_user_get_accessible_projects() ); ++ $t_action = strtoupper( $p_action ); ++ ++ if ( !isset( $t_valid_actions[$t_action] ) && !isset ( $t_valid_actions['EXT_' . $t_action] ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } ++ ++ $t_include_file = config_get_global( 'absolute_path' ) . 'bug_actiongroup_' . $p_action . '_inc.php'; ++ if ( !file_exists( $t_include_file ) ) { ++ trigger_error( ERROR_GENERIC, ERROR ); ++ } else { ++ require_once( $t_include_file ); ++ } ++ } ++ + /** + * Print the top part for the bug action group page. + */ +@@ -103,7 +123,6 @@ + * @param $p_action The custom action name without the "EXT_" prefix. + */ + function bug_group_action_print_action_fields( $p_action ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); + $t_function_name = 'action_' . $p_action . '_print_fields'; + $t_function_name(); + } +@@ -115,7 +134,6 @@ + * @param $p_action The custom action name without the "EXT_" prefix. + */ + function bug_group_action_print_title( $p_action ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); + $t_function_name = 'action_' . $p_action . '_print_title'; + $t_function_name(); + } +@@ -131,7 +149,6 @@ + * @returns array( bug_id => reason for failure to validate ) + */ + function bug_group_action_validate( $p_action, $p_bug_id ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); + $t_function_name = 'action_' . $p_action . '_validate'; + return $t_function_name( $p_bug_id ); + } +@@ -147,7 +164,6 @@ + * @returns array( bug_id => reason for failure to process ) + */ + function bug_group_action_process( $p_action, $p_bug_id ) { +- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' ); + $t_function_name = 'action_' . $p_action . '_process'; + return $t_function_name( $p_bug_id ); + } diff -Nru mantis-1.1.8+dfsg/debian/patches/series mantis-1.1.8+dfsg/debian/patches/series --- mantis-1.1.8+dfsg/debian/patches/series 2010-10-28 15:13:46.000000000 +0200 +++ mantis-1.1.8+dfsg/debian/patches/series 2011-09-08 01:52:21.000000000 +0200 @@ -8,3 +8,5 @@ 08-CVE-2010-2574.diff 09-CVE-2010-3303-04-and-05.diff 10-CVE-2010-3763.diff +11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff +12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff
Attachment:
signature.asc
Description: OpenPGP digital signature