Date: Sat, 09 Jun 2012 18:19:12 +1000 From: David Hicks <d@...id.au> To: Open Source Security Mailing List <oss-security@...ts.openwall.com> Cc: MantisBT Developer Mailing List <mantisbt-dev@...ts.sourceforge.net> Subject: CVE requests (x2) for Mantis Bug Tracker (MantisBT) before 1.2.11 CVE REQUEST #1 Title: Reporters can edit arbitrary bugnotes via SOAP API Affected: MantisBT 1.2.10 and earlier versions Not affected: MantisBT 1.2.11 Description: Roland Becker and Damien Regad (MantisBT developers) found that any user able to report issues via the SOAP interface could also modify any bugnotes (comments) created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report new issues. This vulnerability therefore impacts upon many public facing MantisBT installations. References:  http://www.mantisbt.org/bugs/view.php?id=14340 CVE REQUEST #2 Title: delete_attachments_threshold not checked on attachment deletion Affected: MantisBT 1.2.10 and earlier versions Not affected: MantisBT 1.2.11 Description: Roland Becker (MantisBT developer) found that the delete_attachments_threshold permission was not being checked when a user attempted to delete an attachment from an issue. The more generic update_bug_threshold permission was being checked instead. MantisBT administrators may have been under the false impression that their configuration of the delete_attachments_threshold was successfully preventing unwanted users from deleting attachments. References:  http://www.mantisbt.org/bugs/view.php?id=14016 With thanks, David Hicks MantisBT Developer #mantisbt irc.freenode.net http://www.mantisbt.org/bugs/ [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ