CVE-2005-4518

An anonymous remote attacker can bypass the intended 2,000k file size restriction by modifying the `max_file_size` hidden form parameter in the POST request to an arbitrarily large value [ref_id=1]. The attacker sends a crafted multipart POST request to any of the four vulnerable upload scripts (bug_file_add.php, bug_report.php, bug_report_advanced_page.php, proj_doc_add_page.php) with the `max_file_size` parameter set to a value larger than 2000000 [ref_id=1]. Because the server trusts the client-provided size limit, the uploaded file is accepted and stored directly into the database, potentially filling available disk space and causing a denial of service [ref_id=1].

The vulnerable upload forms are in bug_file_add.php, bug_report.php, bug_report_advanced_page.php, and proj_doc_add_page.php [ref_id=1]. These scripts accept a hidden form parameter `max_file_size` from the client to enforce upload limits, but do not validate or override the client-supplied value on the server side [ref_id=1].

The advisory states that the vendor released Mantis 0.19.4 (and 1.0.0rc4) to address these issues [ref_id=1]. No patch diff is provided in the bundle, but the fix would require the server to enforce the file size limit server-side rather than trusting the client-supplied `max_file_size` parameter, for example by checking the actual uploaded file size against a hardcoded or server-configured maximum before storing it in the database [ref_id=1].

Send a POST request to `[path_to_mantis]/bug_file_add.php` with a multipart form-data body containing `bug_id=1`, `max_file_size=999999999` (or any value larger than 2000000), and the file payload. The same technique applies to `bug_report.php`, `bug_report_advanced_page.php`, and `proj_doc_add_page.php` [ref_id=1].