Package: mantis Version: 1.2.6-1 Severity: critical Tags: security patch upstream fixed-upstream
Hi Sils and others, Thank you for the quick response to bug #638321 (search.php multiple XSS vulnerabilities in <mantisbt-1.2.7). Unfortunately a number of other vulnerabilities have been discovered which will work against all 1.2.x releases of MantisBT: 1) XSS injection via PHP_SELF 2) LFI and XSS via bug_actiongroup_ext_page.php 3) XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php Details of these vulnerabilities are provided at [1], [2] and [3]. CVE requests have been submitted to the oss-security mailing list as per [1]. The LFI vulnerability in bug_actiongroup_ext_page.php has the potential to allow malicious users to upload arbitrary PHP scripts via MantisBT bug attachments and then execute these malicious scripts. See oss-secur...@lists.openwall.com and mantisbt-...@lists.sourceforge.net discussion threads for further information. Users would first need to change the file upload method from storing attachments in the database to storing them on the disk in order to be vulnerable to this extended remote arbitrary code execution attack). However, if the same web server uid/gid is used across multiple web applications, attachments stored on the disk from another web application could be executed. The minimum required patches to resolve these issues are available at [4], [5], [6] and [7] and should apply cleanly to MantisBT 1.2.7 (probably 1.2.6 as well). The LFI patches ([4] and [5]) are a bit larger than hoped for in a security fix. The do however aim to resolve the issue in the most robust and future-proofed way possible. Please advise if assistance is required in preparing alternative patches for earlier versions of MantisBT. I'm able to help with resolving merge conflicts, providing simpler bandaid patches, etc. Thanks, David Hicks MantisBT Developer [1] http://www.openwall.com/lists/oss-security/2011/09/04/1 [2] http://www.mantisbt.org/bugs/view.php?id=13191 [3] http://www.mantisbt.org/bugs/view.php?id=13281 [4] https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d [5] https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f [6] https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034 [7] https://github.com/mantisbt/mantisbt/commit/0a636b37d3425aea7b781e7f25eaeb164ac54a3d
signature.asc
Description: This is a digitally signed message part
