Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 522650 (CVE-2014-6387) - www-apps/mantisbt: Null byte poisoning issue with LDAP authentication (CVE-2014-6387)
Summary: www-apps/mantisbt: Null byte poisoning issue with LDAP authentication (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2014-6387
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q3/590
Whiteboard: B3 [ebuild]
Keywords:
Depends on: CVE-2014-6316
Blocks:
  Show dependency tree
 
Reported: 2014-09-12 14:08 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-04-01 03:45 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-12 14:08:54 UTC 
Greetings

Matthew Daley reported a Null byte poisoning issue with LDAP 
authentication affecting MantisBT <= 1.2.17.

A malicious user can exploit this vulnerability to login as any 
registered user and without knowing their password, to systems relying 
on LDAP for user authentication (e.g. Active Directory or OpenLDAP with 
"allow bind_anon_cred"). 

Patches are available in [1]; full details on the original issue report 
can be found at [2]. Can you please assign a CVE ID to this issue ? 

Thank you

D. Regad
MantisBT Developer
http://mantisbt.org/

[1] http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master branch)
    http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x branch)
[2] http://www.mantisbt.org/bugs/view.php?id=17640
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-12-27 02:11:42 UTC 
CVE-2014-6387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6387):
  gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass
  authenticated via a password starting will a null byte, which triggers an
  unauthenticated bind.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 05:26:23 UTC 
This is fixed in version: 1.2.18
http://www.mantisbt.org/bugs/view.php?id=17640
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-07 08:26:57 UTC 
Multiple vulnerabilities spread across 9 different bugs.  No movement from maintainers in over a year.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-04-01 03:45:02 UTC 
Package removed