Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 522650 (CVE-2014-6387)

Summary: www-apps/mantisbt: Null byte poisoning issue with LDAP authentication (CVE-2014-6387)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: david, proxy-maint, pva, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q3/590
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 531896    
Bug Blocks:    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-12 14:08:54 UTC 
Greetings

Matthew Daley reported a Null byte poisoning issue with LDAP 
authentication affecting MantisBT <= 1.2.17.

A malicious user can exploit this vulnerability to login as any 
registered user and without knowing their password, to systems relying 
on LDAP for user authentication (e.g. Active Directory or OpenLDAP with 
"allow bind_anon_cred"). 

Patches are available in [1]; full details on the original issue report 
can be found at [2]. Can you please assign a CVE ID to this issue ? 

Thank you

D. Regad
MantisBT Developer
http://mantisbt.org/

[1] http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master branch)
    http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x branch)
[2] http://www.mantisbt.org/bugs/view.php?id=17640
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-12-27 02:11:42 UTC 
CVE-2014-6387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6387):
  gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass
  authenticated via a password starting will a null byte, which triggers an
  unauthenticated bind.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 05:26:23 UTC 
This is fixed in version: 1.2.18
http://www.mantisbt.org/bugs/view.php?id=17640
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-07 08:26:57 UTC 
Multiple vulnerabilities spread across 9 different bugs.  No movement from maintainers in over a year.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-04-01 03:45:02 UTC 
Package removed