203791 – (CVE-2007-6611) www-apps/mantisbt < 1.0.8-r1 "Upload File" Script Insertion Vulnerability (CVE-2007-6611)

Bug 203791 (CVE-2007-6611) - www-apps/mantisbt < 1.0.8-r1 "Upload File" Script Insertion Vulnerability (CVE-2007-6611)

Summary: www-apps/mantisbt < 1.0.8-r1 "Upload File" Script Insertion Vulnerability (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2007-6611

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/28185/
Whiteboard:	B4 [glsa]
Keywords:

Duplicates (1):	204331 (view as bug list)
Depends on:
Blocks:

Reported:	2007-12-30 18:11 UTC by Pierre-Yves Rofes (RETIRED)
Modified:	2008-03-03 21:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-30 18:11:39 UTC

seiji has discovered a vulnerability in Mantis, which can be exploited by malicious users to conduct script insertion attacks.

Input passed as the filename for the uploaded file in bug_report.php is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious filename is viewed in view.php.

Successful exploitation requires valid user credentials.

The vulnerability is confirmed in version 1.0.8. Other versions may also be affected.

Solution:
Update to version 1.1.0.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-30 18:13:05 UTC

maintainers, please bump as necessary.

Comment 2 Peter Volkov (RETIRED) gentoo-dev

2007-12-30 19:18:25 UTC

Fixed in mantisbt-1.0.8-r1.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-12-30 19:33:48 UTC

Arches, please test and mark stable www-apps/mantisbt-1.0.8-r1.
Target keywords : "amd64 ppc x86"

Comment 4 Markus Meier gentoo-dev

2008-01-01 17:00:07 UTC

x86 stable

Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-01-04 22:33:55 UTC

*** Bug 204331 has been marked as a duplicate of this bug. ***

Comment 6 Lars Hartmann 2008-01-05 09:00:01 UTC

can someone please add "CVE-2007-6611" to the summary?
i dont have the needed permissions

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2008-01-06 18:27:31 UTC

ppc stable

Comment 8 Steve Dibb (RETIRED) gentoo-dev

2008-01-23 16:07:45 UTC

amd64 stable

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-23 20:00:37 UTC

This one is ready for GLSA vote. I tend to vote YES.

Comment 10 Hanno Böck gentoo-dev

2008-02-02 12:09:43 UTC

Both mantis 1.1.0 and 1.1.1 have fixed additional security issues (CVE-2007-6611, CVE-2008-0404), maybe the glsa should wait for another stabilization-round?

Comment 11 Peter Volkov (RETIRED) gentoo-dev

2008-02-02 12:19:54 UTC

That's not necessary:  take a look at bug 207260. Stabilization of mantisbt-1.1 is in my TODO list but it's rather fresh release, so I wouldn't be hurry.

Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-02-10 20:11:54 UTC

voting YES, glsa request filed.

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2008-02-10 21:58:42 UTC

I would have vote no for this "authenticated" XSS but that's OK, 2 Yes / 1 No.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-11 18:30:32 UTC

Or to be more precise it's 1½/1½. tend usually means ½ :-) If registration is commonly open I'd say yes, if not then it would be NO.

Comment 15 Robert Buchholz (RETIRED) gentoo-dev

2008-02-11 23:06:01 UTC

YES, was already filed.

Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-03 21:13:36 UTC

GLSA 200803-04