registry team mailing list archive

Thread
Date

[Bug 690482] [NEW] MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)

To: registry@xxxxxxxxxxxxxxxxxxx
From: David Hicks <hickseydr@xxxxxxxxxxxxxxx>
Date: Wed, 15 Dec 2010 03:43:46 -0000
Reply-to: Bug 690482 <690482@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: mantis

The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(gjoko@xxxxxxxxxxxxxx) of multiple vulnerabilities affecting MantisBT
<1.2.4.

The two following advisories have been released explaining the
vulnerabilities in greater detail:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php

As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.

I have requested CVE numbers via oss-sec (awaiting list moderation).

A bug report for this issue already exists in the Debian bug tracking
system at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159

As Ubuntu is using MantisBT 1.1.x you will need to apply the following
patch to resolve the issue in this older version of MantisBT:
http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

We have also released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch.

The bug report tracking this issue upstream at MantisBT:
http://www.mantisbt.org/bugs/view.php?id=12607

If there are any questions or concerns please feel free to contact me.

** Affects: mantis (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: mantis (Debian)
     Importance: Unknown
         Status: Unknown

** Affects: mantis (Fedora)
     Importance: Unknown
         Status: Unknown

** Affects: gentoo
     Importance: Unknown
         Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #607159
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159

** Also affects: mantis (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159
   Importance: Unknown
       Status: Unknown

** Bug watch added: Gentoo Bugzilla #348761
   http://bugs.gentoo.org/show_bug.cgi?id=348761

** Also affects: gentoo via
   http://bugs.gentoo.org/show_bug.cgi?id=348761
   Importance: Unknown
       Status: Unknown

** Bug watch added: Red Hat Bugzilla #663230
   https://bugzilla.redhat.com/show_bug.cgi?id=663230

** Also affects: mantis (Fedora) via
   https://bugzilla.redhat.com/show_bug.cgi?id=663230
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.
https://bugs.launchpad.net/bugs/690482

Title:
  MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)

Follow ups

[Bug 690482] Re: MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)
From: David Hicks, 2010-12-16
[Bug 690482] Re: MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)
From: Micah Gersten, 2010-12-15
[Bug 690482] [NEW] MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)
From: David Hicks, 2010-12-15

References

[Bug 690482] [NEW] MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)
From: David Hicks, 2010-12-15