Comment 1 for bug 828857

Revision history for this message
In , David Hicks (dhx) wrote :

Original vulnerability report by Net.Edit0r (<email address hidden>) from BlACK Hat Group [http://black-hg.org] is available at:
http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue: http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by Net.Edit0r is not reproducible (refer to the MantisBT bug report above for reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly through usual channels for distributions and standalone users to pick up.

Reproducible: Always