CVE-2005-4520

An attacker sends crafted HTTP GET or POST requests to the vulnerable scripts with malicious payloads in the identified parameters [ref_id=1]. For SQL injection, an administrative user can inject SQL via the `prefix` or `sort` parameters, while any anonymous user can inject SQL after the ORDER BY clause via the `sort` parameter in `view_all_set.php` [ref_id=1]. For XSS, any anonymous user can craft a malicious link containing HTML/JavaScript in the `view_type` or `target_field` parameters [ref_id=1]. For CRLF injection, any anonymous user can embed CR/LF sequences in the `return` or `ref` parameters to inject HTTP headers [ref_id=1]. For the upload issue, any anonymous user can modify the `max_file_size` form parameter to upload arbitrarily large files [ref_id=1].

The advisory identifies multiple vulnerable PHP scripts and parameters. SQL injection affects the `prefix` and `sort` parameters in `manage_user_page.php` and the `sort` parameter in `view_all_set.php` [ref_id=1]. Cross-site scripting (XSS) is present in the `view_type` and `target_field` parameters of `view_filters_page.php` [ref_id=1]. HTTP Header CRLF Injection exists in the `return` parameter of `login_cookie_test.php` and the `ref` parameter of `login_select_proj_page.php`/`set_project.php` [ref_id=1]. Arbitrary file upload size is possible via `bug_file_add.php`, `bug_report.php`, `bug_report_advanced_page.php`, and `proj_doc_add_page.php` [ref_id=1].

The advisory recommends upgrading to Mantis 0.19.4 / 1.0.0rc4 or newer [ref_id=1]. No patch diff is provided in the bundle, so the specific code changes are not shown. The vendor released an updated version that presumably adds proper input sanitization for the vulnerable parameters, validates the `max_file_size` parameter server-side, and filters CR/LF sequences from header-related parameters [ref_id=1].

SQL injection (admin, GET): `[path_to_mantis]/manage_user_page.php?prefix=A[SQL]` [ref_id=1]. SQL injection (admin, POST): POST to `[path_to_mantis]/manage_user_page.php` with `sort=username[SQL]&dir=ASC&save=1` [ref_id=1]. SQL injection (anonymous, GET): `[path_to_mantis]/view_all_set.php?sort=priority[SQL]` [ref_id=1]. XSS (anonymous, GET): `[path_to_mantis]/view_filters_page.php?target_field=reporter_id[]&view_type=">` [ref_id=1]. XSS (anonymous, GET): `[path_to_mantis]/view_filters_page.php?target_field=">` [ref_id=1]. CRLF injection (anonymous, GET): `[path_to_mantis]/login_cookie_test.php?return=%0d%0aLocation:%20http://www.google.com` [ref_id=1]. CRLF injection (anonymous, POST): POST to `[path_to_mantis]/set_project.php` with `ref=%0d%0aLocation:%20http://www.google.com&project_id=1` [ref_id=1]. Arbitrary file upload: POST to `[path_to_mantis]/bug_file_add.php` with a modified `max_file_size` value [ref_id=1].