CVE-2005-4521

An unauthenticated remote attacker can inject CRLF sequences (encoded as `%0d%0a`) into the `return` parameter of `login_cookie_test.php` or the `ref` parameter of `login_select_proj_page.php` [ref_id=1]. Because the application does not sanitize these inputs before embedding them in HTTP response headers, the attacker can inject arbitrary headers such as a `Location:` redirect [ref_id=1]. This enables HTTP response splitting attacks, which can be used to poison caches, perform cross-site scripting, or redirect victims to malicious sites [ref_id=1].

The advisory identifies two vulnerable files: `login_cookie_test.php` (the `return` GET parameter) and `login_select_proj_page.php` (the `ref` POST parameter) [ref_id=1]. No input validation is performed on user data passed to these parameters before they are used in HTTP headers [ref_id=1].

The advisory states that the solution is to upgrade to Mantis 0.19.4 / 1.0.0rc4 or newer [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve sanitizing or stripping CR/LF sequences from the `return` and `ref` parameters before they are used in HTTP header construction, preventing header injection [ref_id=1].

1. For the `return` parameter vulnerability: Send a GET request to `[path_to_mantis]/login_cookie_test.php?return=%0d%0aLocation:%20http://www.google.com` [ref_id=1]. 2. For the `ref` parameter vulnerability: Send a POST request to `[path_to_mantis]/set_project.php` with body `ref=%0d%0aLocation:%20http://www.google.com&project_id=1` [ref_id=1].