The remainder of the mantisbt vulnerabilities mentioned in bug 381417. Content from the oss-security post at http://www.openwall.com/lists/oss-security/2011/09/04/1: Request #1: XSS injection via PHP_SELF Paulino Calderon from Websec reported an issue [2] against MantisBT 1.2.6 whereby an attacker could craft URLs such that arbitrary HTML could be inserted into page output. Users running MantisBT on a vanilla nginx installation are unaffected because nginx will check to see whether the full URL path exists and is valid (with an XSS injection string, it won't be). Other web servers such as Apache won't perform these stringent checks and are therefore MantisBT is vulnerable to this attack when running on an Apache server. This attack does not require users to be authenticated or logged into a MantisBT installation to be impacted by this vulnerability. The same issue was identified by High-Tech Bridge Security Research Lab with their advisory #HTB23045 available at [1]. Paul Richards (MantisBT developer) also discovered this issue during a routine audit. MantisBT bug reports with full details (including patches) are available at [2] and [3]. Request #2: LFI and XSS via bug_actiongroup_ext_page.php (#2 was fixed in bug 381417) Request #3: XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php High-Tech Bridge Security Research Lab reported an issue against MantisBT 1.2.7 whereby an attacker could perform an XSS attack on users with access to either bug_report_page.php or bug_update_advanced_page.php. In default and typical MantisBT installations, this is limited to users that are currently logged in. The cause of this problem is with the use of the ancient Projax library (available at [4]) in the 1.2.x branch of MantisBT. Projax does not escape value attributes when printing input form elements. In some respects, this issue is also a bug with Projax however it may be a case that users of this library are expected to provide values that are already sanitised. MantisBT 1.3.x (master branch) uses jQuery instead of Projax and is therefore not impacted by this vulnerability. Full details and patches are available at [3]. Additional information: A new release (mantisbt-1.2.8) is being put together and will be available shortly to download from mantisbt.org to resolve these 3 vulnerabilities. Announcements will be made to mantisbt-announce@lists.sourceforge.net, mantisbt.org/blog, #mantishelp on irc.freenode.net and other usual channels. Major Linux distributions shipping mantisbt-1.2.x will also be informed. With thanks to: Paulino Calderon (Websec), High-Tech Bridge Security Research Lab, Paul Richards (MantisBT) References: [1] https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html [2] http://www.mantisbt.org/bugs/view.php?id=13191 [3] http://www.mantisbt.org/bugs/view.php?id=13281 [4] http://www.ngcoders.com/projax/
Thanks Tim. Just acknowledging that I'm watching this report. These issues have been fixed in the repository and have been independently tested by Silvia Alvarez (Debian package manager for MantisBT) and Robert Munteanu (MantisBT developer). A tarball of the 1.2.8 release should be available shortly. I'll update this bug report when that occurs (if someone else doesn't notice the release announcements first).
New version is in the tree. Arch teams, please, stabilize 1.2.8. TIA.
amd64 ok
amd64 ditto
amd64/x86 stable, thanks Agostino and Ian
(In reply to comment #5) > amd64/x86 stable, thanks Agostino and Ian --> all arches done.
Thanks, everyone. Closing noglsa for XSS.
Just for the record, the CVEs: (In reply to comment #0) > > Request #1: XSS injection via PHP_SELF > CVE-2011-3356 > > Request #2: LFI and XSS via bug_actiongroup_ext_page.php > > (#2 was fixed in bug 381417) > CVE-2011-3357 > > Request #3: XSS issues with unescaped os, os_build and platform > parameters on bug_report_page.php and bug_update_advanced_page.php > CVE-2011-3358
