Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 30 Oct 2014 21:54:52 +0100
From: Damien Regad <>
Subject: SQL injection vulnerability in MantisBT SOAP API


Several SQL injection vulnerabilities were identified in
CVE-2014-1609, and subsequently fixed in MantisBT release 1.2.16 [1].

However, it was recently discovered that the patch did not fully
address the original problem in the SOAP API. Research demonstrates
that using a specially crafted 'project id' parameter when calling
mc_project_get_attachments(), an attacker could still perform an SQL

Affected versions:
MantisBT >= 1.1.0a4, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Issue was discovered by
- Edwin Gozeling and Wim Visser from ITsec Security Services BV
- Paul Richards (former MantisBT developer)

- further details, including patch available in our issue tracker [2] (

Please assign a CVE ID for this issue, which is a follow-up on
CVE-2014-1609 (the released fix of which was incomplete).


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ