CVE-2008-2276 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2276): Cross-site request forgery (CSRF) vulnerability in Mantis 1.1.1 allows remote attackers to create new administrative users via user_create.
Backporting the patch to 1.1.1 seems rather involved. So I'd suggest waiting for 1.2.0 here.
There were a rumors about upcoming 1.1.2, so I'd wait too but for that version. I'm sure 1.2.0 is too unstable to mark it stable...
The fixes introduced in 1.1.2 are not enough. Please note that new vulnerabilities have been discovered, see: http://www.ush.it/team/ush/hack-mantis111/adv.txt
Thank you for the link, I'll check that all that bugs be fixed in 1.1.2. 1.1.2 is not released yet and work on backporting security and other fixes is in progress.
New version was added to the tree. Robert the link you posted here is unavailable now, but at time you posted it here, I've showed it to mantis developers and I remember that the issues that were raised there were in TODO list for 1.1.2 release. So I can not check now but I hope that everything is fixed.
Well, link is available now and I've checked that all things reported there were fixed in 1.1.2 release, which is already stable in our tree. Please, mark this bug as appropriate. Thank you.
Created attachment 166739 [details] adv.txt Attaching text Robert gave link in comment #3 not to loose it anymore.
Should be GLSAed together with bug 238570 and bug 241940. Security, please file the GLSA request.
CVE-2008-2276 was resolved in GLSA 200809-10, the other issues in the adv.txt are CVE-2008-3331 and CVE-2008-3332, which were bug 233336.
