You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When importing data with the plugin, user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier.
19
-
This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
18
+
This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed.
19
+
The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier.
20
+
This allows a remote authenticated attacker to execute arbitrary PHP code in the remote machine.
20
21
},
21
22
'License'=>MSF_LICENSE,
22
23
'Author'=>
@@ -38,7 +39,7 @@ def initialize(info = {})
38
39
[
39
40
OptString.new('USERNAME',[true,'Username to authenticate as','administrator']),
40
41
OptString.new('PASSWORD',[true,'Pasword to authenticate as','root']),
0 commit comments