MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Gentoo Linux |
Fix Released
|
High
|
|||
mantis (Debian) |
Fix Released
|
Unknown
|
|||
mantis (Fedora) |
Fix Released
|
Medium
|
|||
mantis (Ubuntu) |
Triaged
|
Low
|
Unassigned | ||
Hardy |
Won't Fix
|
Low
|
Unassigned | ||
Karmic |
Won't Fix
|
Low
|
Unassigned | ||
Lucid |
Won't Fix
|
Low
|
Unassigned | ||
Maverick |
Won't Fix
|
Low
|
Unassigned |
Bug Description
Binary package hint: mantis
The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(<email address hidden>) of multiple vulnerabilities affecting MantisBT
<1.2.4.
The two following advisories have been released explaining the
vulnerabilities in greater detail:
http://
http://
As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.
I have requested CVE numbers via oss-sec (awaiting list moderation).
A bug report for this issue already exists in the Debian bug tracking system at: http://
As Ubuntu is using MantisBT 1.1.x you will need to apply the following
patch to resolve the issue in this older version of MantisBT:
http://
We have also released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch.
The bug report tracking this issue upstream at MantisBT:
http://
If there are any questions or concerns please feel free to contact me.
visibility: | private → public |
Changed in gentoo: | |
status: | Unknown → In Progress |
Changed in mantis (Debian): | |
status: | Unknown → Confirmed |
Changed in gentoo: | |
importance: | Unknown → High |
Changed in mantis (Debian): | |
status: | Confirmed → Fix Released |
Changed in gentoo: | |
status: | In Progress → Fix Released |
Changed in mantis (Fedora): | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(<email address hidden>) of multiple vulnerabilities affecting MantisBT
<1.2.4.
The two following advisories have been released explaining the
vulnerabilities in greater detail:
http:// www.zeroscience .mk/en/ vulnerabilities /ZSL-2010- 4983.php www.zeroscience .mk/en/ vulnerabilities /ZSL-2010- 4984.php
http://
As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.
I have requested CVE numbers via oss-sec (awaiting list moderation).
As Redhat is using MantisBT 1.1.x you will need to apply the following git.mantisbt. org/?p= mantisbt. git;a=commitdif f_plain; h=2641fdc60d203 2ae1586338d6416 e1eadabd7590
patch to resolve the issue in this older version of MantisBT:
http://
We have also released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch.
The bug report tracking this issue upstream at MantisBT: www.mantisbt. org/bugs/ view.php? id=12607
http://
If there are any questions or concerns please feel free to contact me.