Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 203791 (CVE-2007-6611)

Summary: www-apps/mantisbt < 1.0.8-r1 "Upload File" Script Insertion Vulnerability (CVE-2007-6611)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: lars, pva
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/28185/
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-30 18:11:39 UTC 
seiji has discovered a vulnerability in Mantis, which can be exploited by malicious users to conduct script insertion attacks.

Input passed as the filename for the uploaded file in bug_report.php is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious filename is viewed in view.php.

Successful exploitation requires valid user credentials.

The vulnerability is confirmed in version 1.0.8. Other versions may also be affected.

Solution:
Update to version 1.1.0.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-30 18:13:05 UTC 
maintainers, please bump as necessary.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2007-12-30 19:18:25 UTC 
Fixed in mantisbt-1.0.8-r1.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-30 19:33:48 UTC 
Arches, please test and mark stable www-apps/mantisbt-1.0.8-r1.
Target keywords : "amd64 ppc x86"
Comment 4 Markus Meier gentoo-dev 2008-01-01 17:00:07 UTC 
x86 stable
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-04 22:33:55 UTC 
*** Bug 204331 has been marked as a duplicate of this bug. ***
Comment 6 Lars Hartmann 2008-01-05 09:00:01 UTC 
can someone please add "CVE-2007-6611" to the summary?
i dont have the needed permissions
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-06 18:27:31 UTC 
ppc stable
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2008-01-23 16:07:45 UTC 
amd64 stable
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-23 20:00:37 UTC 
This one is ready for GLSA vote. I tend to vote YES.
Comment 10 Hanno Böck gentoo-dev 2008-02-02 12:09:43 UTC 
Both mantis 1.1.0 and 1.1.1 have fixed additional security issues (CVE-2007-6611, CVE-2008-0404), maybe the glsa should wait for another stabilization-round?
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-02-02 12:19:54 UTC 
That's not necessary:  take a look at bug 207260. Stabilization of mantisbt-1.1 is in my TODO list but it's rather fresh release, so I wouldn't be hurry.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-10 20:11:54 UTC 
voting YES, glsa request filed.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-10 21:58:42 UTC 
I would have vote no for this "authenticated" XSS but that's OK, 2 Yes / 1 No.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-11 18:30:32 UTC 
Or to be more precise it's 1½/1½. tend usually means ½ :-) If registration is commonly open I'd say yes, if not then it would be NO.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 23:06:01 UTC 
YES, was already filed.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-03 21:13:36 UTC 
GLSA 200803-04