Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 9 Sep 2011 14:44:15 -0400 (EDT)
From: Josh Bressers <>
        developer discussions <>,
        coley <>
Subject: Re: CVE requests: <mantisbt-1.2.8 multiple
 vulnerabilities (1xLFI+XSS, 2xXSS)

Sorry this took so long.

----- Original Message -----
> Request #1: XSS injection via PHP_SELF
> Paulino Calderon from Websec reported an issue [2] against MantisBT 1.2.6
> whereby an attacker could craft URLs such that arbitrary HTML could be
> inserted into page output. Users running MantisBT on a vanilla nginx
> installation are unaffected because nginx will check to see whether the
> full URL path exists and is valid (with an XSS injection string, it won't
> be). Other web servers such as Apache won't perform these stringent
> checks and are therefore MantisBT is vulnerable to this attack when
> running on an Apache server. This attack does not require users to be
> authenticated or logged into a MantisBT installation to be impacted by
> this vulnerability.
> The same issue was identified by High-Tech Bridge Security Research Lab
> with their advisory #HTB23045 available at [1]. Paul Richards (MantisBT
> developer) also discovered this issue during a routine audit.
> MantisBT bug reports with full details (including patches) are available
> at [2] and [3].

Please use CVE-2011-3356 for the above.

> Request #2: LFI and XSS via bug_actiongroup_ext_page.php
> High-Tech Bridge Security Research Lab reported an issue against MantisBT
> 1.2.7 whereby an attacker could include local system files via a
> directory traversal/local file inclusion vulnerability in
> bug_actiongroup_ext_page.php.
> Web server and/or PHP and/or operating system configuration will dictate
> whether this vulnerability can be exploited. MantisBT will prepend
> "bug_actiongroup_" prior to the attacker-supplied path. A suffix is
> appended, but can be stripped off using a null character (%00). Some
> environments (at least nginx and php-fpm 5.3) do not allow directory
> traversal from a file or invalid path/file. Other environments do allow
> directory traversal from file names (even invalid ones), for instance:
> "bug_actiongroup_page.php/../private_file" or
> "bug_actiongroup_/../private_file".
> This vulnerability can also allow an attacker to perform an XSS attack
> (no login/session required with the MantisBT attacker) if PHP is
> configured to display error messages. The error message from the
> require_once() call is not sanitised by PHP prior to displaying it to the
> user. Best (and therefore common) practice is to not display PHP error
> messages to the end user, severely limiting the applicability of this
> attack.
> Full details and patches are available at [3].

Please use CVE-2011-3357 for the above.

> Request #3: XSS issues with unescaped os, os_build and platform
> parameters on bug_report_page.php and bug_update_advanced_page.php
> High-Tech Bridge Security Research Lab reported an issue against MantisBT
> 1.2.7 whereby an attacker could perform an XSS attack on users with
> access to either bug_report_page.php or bug_update_advanced_page.php. In
> default and typical MantisBT installations, this is limited to users that
> are currently logged in.
> The cause of this problem is with the use of the ancient Projax library
> (available at [4]) in the 1.2.x branch of MantisBT. Projax does not
> escape value attributes when printing input form elements. In some
> respects, this issue is also a bug with Projax however it may be a case
> that users of this library are expected to provide values that are
> already sanitised. MantisBT 1.3.x (master branch) uses jQuery instead of
> Projax and is therefore not impacted by this vulnerability.
> Full details and patches are available at [3].

Please use CVE-2011-3358 for the above.

> Additional information:
> A new release (mantisbt-1.2.8) is being put together and will be
> available shortly to download from to resolve these 3
> vulnerabilities. Announcements will be made to
> #mantishelp
> on and other usual channels. Major Linux
> distributions
> shipping mantisbt-1.2.x will also be informed.
> With thanks to: Paulino Calderon (Websec), High-Tech Bridge Security
> Research Lab, Paul Richards (MantisBT)
> References:
> [1]
> [2]
> [3]
> [4]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ