A friend just forwarded this URL to me: http://pridels.blogspot.com/2006/03/mantis-xss-vuln.html Quote: =========================================================================== ############################################### Vuln. discovered by : r0t Date: 31 march 2006 vendor:http://www.mantisbt.org/ affected versions:Mantis 1.0.1 and 1.0.0rc5 and prior ############################################### Vuln. Description: Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "start_day" "start_year" "start_month" paremeters in "view_all_set.php" isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. examples: /view_all_set.php?type=1&temporary=y&do_filter_by_date =on&start_year=2006&start_month=03&start_day=[XSS] /view_all_set.php?type=1&temporary=y&do_filter_by_date= on&start_year=[XSS] /view_all_set.php?type=1&temporary=y&do_filter_by_date =on&start_year=2006&start_month=[XSS] ############################################### Solution: Edit the source code to ensure that input is properly sanitised. ############################################### More information @ unsecured-systems.com/forum/ ===========================================================================
web-apps, please check if stable versions are affected and please provide new ebuilds, thank you
As this is a security issue, I don't know if it should be in a different Component category. I'm unable to find reference of this bug in the Official Mantis Bug Database, and the referred to "unsecured-systems.com/forum/" doesn't have the referred to thread available to the public.
I just submitted a bug to the main Mantis database regarding this issue: http://bugs.mantisbt.org/view.php?id=6914
Very nice, thank you Philippe
Mhmm. I got "Access denied" for http://bugs.mantisbt.org/view.php?id=6914. I assume, there is at least some truth in that vulnerability and the mantis team restricted access. I wonder, if the some should be done for this bug, but it is probably anyway to late for that... Do you know anything about upstreams time frame for commenting and fixing the issue, Philippe (as bug reporter at upstream)?
thraxisp (one of the main Mantis developers I think from the freq of his name on their site) posted "Security issues are usually private to prevent exploits until they are resolved. Thanks for the heads up." on 4/4/2006. He marked the http://bugs.mantisbt.org/view.php?id=6914 bug was closed "duplicate of 0006902", which gives me the "Access denied" you mentioned in regards to the bug I summited to them. Sum up: My bug must have been a dup of an open bug, so I have no more information for you at this time.
Waiting for upstream release
1.0.2 has been released and is in Portage. Among others, fixes: - 0006902: [security] XSS in mantis bug track system (thraxisp)
ppc please test and mark stable.
ppc stable
This one is ready for GLSA decision. I tend to vote NO.
I tend to vote no, that XSS requires to follow a very lame URL
hi, i tend to vote no too
Closing... feel free to reopen if you intended to vote yes
