MantisBT <1.2.7 search.php multiple XSS vulnerabilities

Bug #828857 reported by David Hicks
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gentoo Linux
Fix Released
Low
mantis (Debian)
Fix Released
Unknown
mantis (Fedora)
Fix Released
Medium
mantis (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Original vulnerability report by Net.Edit0r (<email address hidden>) from BlACK Hat Group [http://black-hg.org] is available at: http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue: http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by Net.Edit0r is not reproducible (refer to the MantisBT bug report above for reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly through usual channels.

A CVE request and notice has been sent to <email address hidden>

CVE References

Revision history for this message
In , David Hicks (dhx) wrote :

Original vulnerability report by Net.Edit0r (<email address hidden>) from BlACK Hat Group [http://black-hg.org] is available at:
http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue: http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by Net.Edit0r is not reproducible (refer to the MantisBT bug report above for reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly through usual channels for distributions and standalone users to pick up.

Reproducible: Always

Revision history for this message
In , David (david-redhat-bugs) wrote :

Original vulnerability report by Net.Edit0r (<email address hidden>) from BlACK Hat
Group [http://black-hg.org] is available at:
http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue:
http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by
Net.Edit0r is not reproducible (refer to the MantisBT bug report above for
reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly
through usual channels.

A CVE request and notice has been sent to <email address hidden>

David Hicks (dhx)
visibility: private → public
Changed in gentoo:
importance: Unknown → Critical
status: Unknown → New
Revision history for this message
In , Ago-3 (ago-3) wrote :

1.2.7 Is not still out, but the vulnerability is fixed in git repository.

@Peter, Please choise if you want add directly 1.2.7, or patch 1.2.6.

Changed in mantis (Debian):
status: Unknown → Confirmed
Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

Thanks so much for the report, David!

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

Created mantis tracking bugs for this issue

Affects: fedora-all [bug 731854]
Affects: epel-5 [bug 731855]

Changed in mantis (Debian):
status: Confirmed → Fix Released
Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

This was assigned the name CVE-2011-2938.

Changed in gentoo:
importance: Critical → Low
Revision history for this message
In , pva (pva) wrote :

1.2.7 that fixes this issue is in the tree. Arch teams, please, stabilize.

Revision history for this message
In , Ago-3 (ago-3) wrote :

amd64 ok

Revision history for this message
In , Xarthisius (xarthisius) wrote :

ppc keywords dropped

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Per Debian, 1.1 is not affected. Oneiric is affected.

Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, a member of Ubuntu will review it and publish the package.

Thanks!

Revision history for this message
In , Tomka-w (tomka-w) wrote :

x86 stable. Thanks

Revision history for this message
In , Chainsaw (chainsaw) wrote :

+ 26 Aug 2011; Tony Vroon <email address hidden> mantisbt-1.2.7.ebuild:
+ Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+ security bug #379739 filed by David Hicks.

Arches done, ready for GLSA voting.

Revision history for this message
In , Alex Legler (a3li) wrote :

Closing noglsa.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

[Updating] mantis (1.2.4-3 [Ubuntu] < 1.2.6-1 [Debian])
 * Trying to add mantis...
2011-08-26 19:29:18 INFO - <mantis_1.2.6-1.dsc: downloading from http://ftp.debian.org/debian/>
2011-08-26 19:29:18 INFO - <mantis_1.2.6-1.debian.tar.gz: downloading from http://ftp.debian.org/debian/>
2011-08-26 19:29:18 INFO - <mantis_1.2.6.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
I: mantis [universe] -> mantis_1.2.4-3 [universe].

Changed in mantis (Ubuntu):
status: New → Fix Released
Changed in gentoo:
status: New → Fix Released
Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

Currently supported versions of Fedora have 1.2.8, which correct this flaw. EPEL's 1.1.8 may still be affected.

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned. As a result I'm closing this bug as this issue is fixed in Fedora. The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed.

Changed in mantis (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.