Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Sep 2014 14:03:37 +0000 (UTC)
From: Damien Regad <>
Subject: CVE request: MantisBT Null byte poisoning in LDAP authentication


Matthew Daley reported a Null byte poisoning issue with LDAP 
authentication affecting MantisBT <= 1.2.17.

A malicious user can exploit this vulnerability to login as any 
registered user and without knowing their password, to systems relying 
on LDAP for user authentication (e.g. Active Directory or OpenLDAP with 
"allow bind_anon_cred"). 

Patches are available in [1]; full details on the original issue report 
can be found at [2]. Can you please assign a CVE ID to this issue ? 

Thank you

D. Regad
MantisBT Developer

[1] (master branch) (1.2.x branch)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.