Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 18 Jan 2013 13:04:48 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: David Hicks <d@...id.au>, Jakub Galczyk <jakub.galczyk@...il.com>
Subject: Re: CVE request: MantisBT before 1.2.13 match_type
 XSS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2013 04:31 AM, David Hicks wrote:
> Hi list,
> 
> Jakub Galczyk discovered[1][2] a cross site scripting (XSS) 
> vulnerability in MantisBT 1.2.12 and earlier versions that allows
> a malicious person to trick the browser of a target user into
> executing arbitrary JavaScript via the URL:
> search.php?match_type="><script...
> 
> This vulnerability is particularly wide reaching due to search.php
> being usable by anonymous users on public facing installations of
> MantisBT (no user account required).
> 
> Patches against 1.2.x and master branches are attached and
> alternatively available at [2].
> 
> References: [1] 
> http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
>
> 
[2] http://www.mantisbt.org/bugs/view.php?id=15373
> 
> The MantisBT project will release MantisBT 1.2.13 shortly and
> advise popular Linux distributions packaging MantisBT to either
> apply the patch or bump package versions to 1.2.13.
> 
> Can a CVE ID please be assigned to this issue?
> 
> With thanks, David Hicks MantisBT Developer #mantisbt
> irc.freenode.net http://www.mantisbt.org/bugs/
> 
> Bcc: mantisbt-dev@...ts.sourceforge.net
> 

Please use CVE-2013-0197 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ+arfAAoJEBYNRVNeJnmTmFEP/28iPEY+BZRxSnVeZEl+iK2c
N7jpChQMGr/Pm+R8Zvi/wtwWretAs/TLitXFO+smd6X0LnM5ar1U/9SnJj9a2Ep7
6ZOVDLRz7p6q8Op8twlFDYuAfnpWfAPe0ruEza5LFADyWEUUT0xXmv5NL+pqdF+0
sx+5GHOUVqjnvm4vNPdJL5v3IMpEDH+9OWEuSSAFJ+RUG2cXW181PdRIvVXmsO/S
/UcwiCJTLeM0VoYqFHt5r0aYpDGTAKoJs+9XPP/cfmK69rzG+HRx5IZXIrMbB3SY
liCMQcD22lWTJhPLA68zRAxTPnJO1ec7NmjntJ5Gp0m+0pVKtXI2DVJFgRPpdHFH
DIa30q9xsKof5d77QPisJkCJAJ+BvqLLG6PsMUwWlzF8vwGAmSHqzG8UZStMRe4W
IWu0uj2l87g2o4P5ulJCcFDIqKO8LwoDBcu8yaCyMPX3N6d0z9SGmQSwL08zdxq8
RXcN6vBQxNpnEBsyups99UyYXr5CEnXZqZlGfVbVNCz25yqLW8iPFZ6ihKN9jX7h
XDDG+u1AuGk+7WBJ5EqHXFA2NKFiEtghGtot14LrqXHst8g6cNlyKpbHvpakVRF0
F8yqqEzA4WYet0PTNnbHbA2jQoJ9l1n54GT51peNnocG+29m093tM7O5iF2daM/W
bUxSPRuQ1qI1i1iS5p46
=4IdZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.