Date: Thu, 30 Oct 2014 21:54:52 +0100 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: SQL injection vulnerability in MantisBT SOAP API Description: Several SQL injection vulnerabilities were identified in CVE-2014-1609, and subsequently fixed in MantisBT release 1.2.16 . However, it was recently discovered that the patch did not fully address the original problem in the SOAP API. Research demonstrates that using a specially crafted 'project id' parameter when calling mc_project_get_attachments(), an attacker could still perform an SQL injection. Affected versions: MantisBT >= 1.1.0a4, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Credit: Issue was discovered by - Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) - Paul Richards (former MantisBT developer) References: - further details, including patch available in our issue tracker  ( Please assign a CVE ID for this issue, which is a follow-up on CVE-2014-1609 (the released fix of which was incomplete).  http://www.mantisbt.org/bugs/view.php?id=16880  http://www.mantisbt.org/bugs/view.php?id=17812
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ