Date: Sat, 2 Jan 2016 23:00:47 +0100 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: CVE Request: MantisBT SOAP API can be used to disclose confidential settings Greetings, Please assign a CVE ID for the following issue. Description: Until now, MantisBT sensitive config options were blacklisted to prevent their access via SOAP API (see config_is_private() function). When a new config is added or an existing one is renamed, the black list must be updated accordingly. If this is not or incorrectly done, the config becomes available via SOAP API. This was the case with the MantisBT master cryptographic salt (crypto_master_salt): it was incorrectly spelt. To fix the problem as well as avoid future occurences, we are switching to a whitelist approach, i.e. listing all configs that *can* be accessed via SOAP. Any MantisBT installation with SOAP API enabled should be patched, and immediately generate a new salt. Affected versions: >= 1.3.0-beta.1 Fixed in versions: 1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need another release candidate before that. Patch: See Github  Credits: The issue was discovered by Paul Richards  and fixed by Roland Becker (MantisBT Developer). References: Further details available in our issue tracker  Best regards, D. Regad MantisBT Developer http://www.mantisbt.org  http://github.com/mantisbt/mantisbt/commit/7927c275  https://sourceforge.net/p/mantisbt/mailman/message/32948048/  https://mantisbt.org/bugs/view.php?id=20277
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ