Date: Thu, 21 Mar 2013 10:29:39 +0000 (UTC) From: Damien Regad <damien.regad@...ckgroup.com> To: oss-security@...ts.openwall.com Subject: CVE request: MantisBT text search query can crash site Dear all, MantisBT user 'jjtest' discovered an issue  affecting MantisBT versions 1.2.12 to 1.2.14 included. Anybody having access to a MantisBT instance (including anonymous users on web-facing applications) may issue a search query on the View Issues page; if a filter combining some criteria and a text search with 'any condition' is applied, the generated SQL will results in a potentially huge cartesian product which, depending on the size of the underlying database, has the potential to bring down the site/db server as it runs out of resources. The root cause of this behavior is joining a table with a from clause and setting the join's criteria in the query's where clause, without taking consideration the operator's precedence (AND/OR). Full details about this issue can be found in our bugtracker . A patch for this issue is available  in the project's repository on Github, and will be included in MantisBT version 1.2.15, which we expect to release in a couple of weeks once testing is completed. References:  http://www.mantisbt.org/bugs/view.php?id=15573  https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7 Kindly assign a CVE ID for this issue. Damien Regad MantisBT developer mailto:mantisbt-dev@...ts.sourceforge.net http://www.mantisbt.org/bugs/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ