Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 17 Jan 2015 02:10:51 +0100
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: CAPTCHA bypass in MantisBT


Greetings,

Please assign a CVE ID for the following issue


Description:

An attacker can get an unlimited amount of CAPTCHA "samples" with 
different perturbations for the same challenge, which makes the whole 
captcha utterly useless and very easy to bypass.


Affected versions:
<= 1.2.19

Fixed in versions:
1.2.19 (not yet released)

Patch:
See Github [1]

Credit:
This vulnerability was reported [2] by Florent Daigniere from Matta 
Consulting.
The issue was fixed by Damien Regad (MantisBT Developer).

References:
Further details available in our issue tracker [2]

[1] https://github.com/mantisbt/mantisbt/commit/39a92726
[2] https://www.mantisbt.org/bugs/view.php?id=17984


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ