Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 348761 (CVE-2010-4348)

Summary: <www-apps/mantisbt-1.2.4: Multiple vulnerabilities (CVE-2010-{3303,3763,4348,4349,4350})
Product: Gentoo Security Reporter: David Hicks <david>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: pva
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.mantisbt.org/bugs/view.php?id=12607
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description David Hicks 2010-12-15 03:25:42 UTC 
The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(gjoko@zeroscience.mk) of multiple vulnerabilities affecting MantisBT
<1.2.4.

The two following advisories have been released explaining the
vulnerabilities in greater detail:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php

As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.

I have requested CVE numbers via oss-sec (awaiting list moderation).

We have released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch. We do have a patch for MantisBT 1.1.x available in the repository as well, however this doesn't apply to Gentoo.

The bug report tracking this issue upstream at MantisBT:
http://www.mantisbt.org/bugs/view.php?id=12607

If there are any questions or concerns please feel free to contact me.

Reproducible: Always

Steps to Reproduce:
Comment 1 David Hicks 2010-12-15 03:29:31 UTC 
Apologies for the oversight, Gentoo does still ship mantisbt-1.1.8.

The patch to apply to this version can be obtained through our repository at:
http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

Please note that MantisBT 1.1.x is not officially supported by the MantisBT project and is not recommended for use. We have made a significant number of security improvements in 1.2.x that aren't available in 1.1.x (not just bug fixes, but general architecture changes).
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-12-15 06:07:10 UTC 
(In reply to comment #0)
> 
> If there are any questions or concerns please feel free to contact me.
> 

Thank you for the report, David.
Comment 3 David Hicks 2010-12-16 14:08:00 UTC 
CVE-2010-4348: Cross site scripting
CVE-2010-4349: Path disclosure
CVE-2010-4350: Local file inclusion
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2010-12-19 15:58:29 UTC 
Thank you David. New version was just added to the tree and I've dropped old, vulnerable versions. Arch teams, please, stabilize www-apps/mantisbt-1.2.4.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-12-19 16:04:23 UTC 
Rerating B2.
Comment 6 Agostino Sarubbo gentoo-dev 2010-12-19 20:08:04 UTC 
amd64 ok
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2010-12-20 00:39:13 UTC 
amd64 done. Thanks Agostino
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-12-20 07:18:00 UTC 
x86 stable
Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-11 17:35:08 UTC 
ppc stable, last arch done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-11 17:48:00 UTC 
Thanks, folks. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 01:26:12 UTC 
CVE-2010-4350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4350):
  Directory traversal vulnerability in admin/upgrade_unattended.php in
  MantisBT before 1.2.4 allows remote attackers to include and execute
  arbitrary local files via a .. (dot dot) in the db_type parameter, related
  to an unsafe call by MantisBT to a function in the ADOdb Library for PHP.

CVE-2010-4349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4349):
  admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote
  attackers to obtain sensitive information via an invalid db_type parameter,
  which reveals the installation path in an error message, related to an
  unsafe call by MantisBT to a function in the ADOdb Library for PHP.

CVE-2010-4348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4348):
  Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in
  MantisBT before 1.2.4 allows remote attackers to inject arbitrary web script
  or HTML via the db_type parameter, related to an unsafe call by MantisBT to
  a function in the ADOdb Library for PHP.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 01:26:26 UTC 
CVE-2010-3763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3763):
  Cross-site scripting (XSS) vulnerability in core/summary_api.php in MantisBT
  before 1.2.3 allows remote attackers to inject arbitrary web script or HTML
  via the Summary field, a different vector than CVE-2010-3303.

CVE-2010-3303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3303):
  Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.3
  allow remote authenticated administrators to inject arbitrary web script or
  HTML via (1) a plugin name, related to manage_plugin_uninstall.php; (2) an
  enumeration value or (3) a String value of a custom field, related to
  core/cfdefs/cfdef_standard.php; or a (4) project or (5) category name to
  print_all_bug_page_word.php.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-11-08 10:42:53 UTC 
This issue was resolved and addressed in
 GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).