Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 531896 (CVE-2014-6316)

Summary: www-apps/mantisbt: multiple vulnerabilities (CVE-2014-{6316,7146,8553,8554,8598,8986,8988,9089,9117,9269,9270,9271,9272,9279,9280,9281,9388,9506,9571,9572,9573},CVE-2015-1042)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: david, phantom4, proxy-maint, pva, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/12/07/3
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 500900, 503152, 522650, 527618    
Attachments:
Description Flags
mantisbt-1.2.19.ebuild none

Description Agostino Sarubbo gentoo-dev 2014-12-07 15:31:36 UTC
From ${URL} :

MantisBT 1.2.18 is an important security update for the stable 1.2.x branch.
All installations that are currently running any 1.2.x version are strongly
advised to upgrade to this release. Download it from [2].

This release resolves a total of 43 issues, including fixes for 23 security-
related bugs and vulnerabilities:

-  7 Cross-Site Scripting (XSS) issues: #17297/CVE-2014-9272,
    #17583/CVE-2014-9270, #17870/CVE-2014-8987, #17874/CVE-2014-9271,
    #17876/CVE-2014-9281, #17889/CVE-2014-8986, #17890/CVE-2014-9269

-  2 Code injection issues: #17725/CVE-2014-7146, #17875/CVE-2014-9280

-  2 SQL injection (XSS) issues: #17812/CVE-2014-8554, #17841/CVE-2014-9089

-  5 Information disclosure issues: #9885, #17744, #17877/CVE-2014-9279,
    #17742/CVE-2014-8988, #17243/CVE-2014-8553

-  7 Other security issues: #10966, #17338, #17640/CVE-2014-6387,
    #17648/CVE-2014-6316, #17780/CVE-2014-8598, #17811/CVE-2014-9117, #17878



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 03:07:15 UTC
CVE-2014-9388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9388):
  bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign
  arbitrary issues via the handler_id parameter.

CVE-2014-9281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9281):
  Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT
  before 1.2.18 allows remote attackers to inject arbitrary web script or HTML
  via the dest_id field.

CVE-2014-9280 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9280):
  The current_user_get_bug_filter function in core/current_user_api.php in
  MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code
  via the filter parameter.

CVE-2014-9279 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9279):
  The print_test_result function in admin/upgrade_unattended.php in MantisBT
  1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain
  database credentials via a URL in the hostname parameter and reading the
  parameters in the response sent to the URL.

CVE-2014-9270 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9270):
  Cross-site scripting (XSS) vulnerability in the
  projax_array_serialize_for_autocomplete function in core/projax_api.php in
  MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary
  web script or HTML via the "profile/Platform" field.

CVE-2014-9117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9117):
  MantisBT before 1.2.18 uses the public_key parameter value as the key to the
  CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA
  protection mechanism by leveraging knowledge of a CAPTCHA answer for a
  public_key parameter value, as demonstrated by E4652 for the public_key
  value 0.

CVE-2014-9089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9089):
  Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT
  before 1.2.18 allow remote attackers to execute arbitrary SQL commands via
  the (1) sort or (2) dir parameter to view_all_set.php.

CVE-2014-8988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8988):
  MantisBT before 1.2.18 allows remote authenticated users to bypass the
  $g_download_attachments_threshold and $g_view_attachments_threshold
  restrictions and read attachments for private projects by leveraging access
  to a project that does not restrict access to attachments and a request to
  the download URL.

CVE-2014-8986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8986):
  Cross-site scripting (XSS) vulnerability in the selection list in the
  filters in the Configuration Report page (adm_config_report.php) in MantisBT
  1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web
  script or HTML via a crafted config option, a different vulnerability than
  CVE-2014-8987.

CVE-2014-8598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8598):
  The XML Import/Export plugin in MantisBT 1.2.x does not restrict access,
  which allows remote attackers to (1) upload arbitrary XML files via the
  import page or (2) obtain sensitive information via the export page.  NOTE:
  this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.

CVE-2014-8554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8554):
  SQL injection vulnerability in the mc_project_get_attachments function in
  api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote
  attackers to execute arbitrary SQL commands via the project_id parameter. 
  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2014-1609.

CVE-2014-8553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8553):
  The mci_account_get_array_by_id function in api/soap/mc_account_api.php in
  MantisBT before 1.2.18 allows remote attackers to obtain sensitive
  information via a (1) mc_project_get_users, (2) mc_issue_get, (3)
  mc_filter_get_issues, or (4) mc_project_get_issues SOAP request.

CVE-2014-7146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7146):
  The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote
  attackers to execute arbitrary PHP code via a crafted (1) description field
  or (2) issuelink attribute in an XML file, which is not properly handled
  when executing the preg_replace function with the e modifier.

CVE-2014-6316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6316):
  core/string_api.php in MantisBT before 1.2.18 does not properly categorize
  URLs when running under the web root, which allows remote attackers to
  conduct open redirect and phishing attacks via a crafted URL in the return
  parameter to login_page.php.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-06 10:49:40 UTC
*** Bug 535772 has been marked as a duplicate of this bug. ***
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-10 16:36:57 UTC
CVE-2014-9506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9506):
  MantisBT before 1.2.18 does not properly check permissions when sending an
  email that indicates when a monitored issue is related to another issue,
  which allows remote authenticated users to obtain sensitive information
  about restricted issues.

CVE-2014-9272 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9272):
  The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before
  1.2.18 does not properly validate the URL protocol, which allows remote
  attackers to conduct cross-site scripting (XSS) attacks via the
  javascript:// protocol.

CVE-2014-9271 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9271):
  Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT
  before 1.2.18 allows remote authenticated users to inject arbitrary web
  script or HTML via a Flash file with an image extension, related to inline
  attachments, as demonstrated by a .swf.jpeg filename.

CVE-2014-9269 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9269):
  Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT
  1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is
  enabled, allows remote attackers to inject arbitrary web script or HTML via
  the project cookie.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-02 11:14:16 UTC
*** Bug 538524 has been marked as a duplicate of this bug. ***
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-09 21:50:37 UTC
From http://seclists.org/oss-sec/2015/q1/110

During follow-up tests he performed on the fix for CVE-2014-6316 (which was released in MantisBT 1.2.18), Alejo Popovici noticed [1] that the earlier fix was only partial.


With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to effect a cross-domain redirection using a redirect address having a single slash, e.g.


- http://example.com/mantis/login_page.php?return=https:/google.com or
- https://example.com/mantis/login_page.php?return=http:/google.com

This is essentially the same vulnerability that was described in CVE-2014-6316, but due to a different root cause (for which a patch will be issued soon).


I would like to know if I should be using the same CVE ID, or if a new one needs to be issued.


Thanks in advance.

Damien Regad
MantisBT Developer
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:13:55 UTC
CVE-2015-1042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1042):
  The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3
  through 1.2.18 uses an incorrect regular expression, which allows remote
  attackers to conduct open redirect and phishing attacks via a URL with a
  ":/" (colon slash) separator in the return parameter to login_page.php, a
  different vulnerability than CVE-2014-6316.

CVE-2014-9573 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9573):
  SQL injection vulnerability in manage_user_page.php in MantisBT before
  1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE
  privileges to execute arbitrary SQL commands via the
  MANTIS_MANAGE_USERS_COOKIE cookie.

CVE-2014-9572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9572):
  MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly
  restrict access to /*/install.php, which allows remote attackers to obtain
  database credentials via the install parameter with the value 4.

CVE-2014-9571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9571):
  Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT
  before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to
  inject arbitrary web script or HTML via the (1) admin_username or (2)
  admin_password parameter.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 06:01:24 UTC
All of these issues are fixed in 1.2.19 which is the latest version.
Released 2015-01-24

Please create an Ebuild for this version.
All previous bugs that are not stable will be set to dependency of this bug.
Comment 8 Per Pomsel 2015-03-03 12:10:57 UTC
Created attachment 397924 [details]
mantisbt-1.2.19.ebuild
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-03-07 08:27:31 UTC
Multiple vulnerabilities spread across 9 different bugs.  No movement from maintainers in over a year.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-04-01 03:45:34 UTC
Package removed