High-Tech Bridge SA Security Research Lab has reported numerous vulnerabilities against www-apps/mantisbt-1.2.7 (see https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html)
Additionally, MantisBT developer Paul Richards has performed an independent audit and discovered a number of additional MantisBT vulnerabilities.
The most critical issue thus far (local file inclusion/path traversal) has been fixed. The following patch against the 1.2.7 release of MantisBT is available: https://github.com/mantisbt/mantisbt/commit/a7eacc181185eff1dd7bd8ceaa34a91cf86cc298
We will have a number of other patches pushed ASAP and a release bundled shortly. It may be worth applying the LFI patch in the meantime due to the severe consequences it may pose to Apache users. nginx users should be unaffected due to the more sane path handling within nginx (see the commit message mentioned above for more detail).
We'll work with HTB to release a formal advisory once all the patches are pushed. CVE requests will be made on the oss-sec mailing list.
I'll keep this bug report updated as we progress with a mantisbt-1.2.8 release.
As a side note, thanks for the quick turnaround on the recent www-apps/mantisbt-1.2.7 "security fix" release. We didn't know of these newly discovered problems until today so apologies for the extra workload.
Thank you David. I've added this patch in mantisbt-1.2.7-r1. Arch teams, please, consider stabilization.
+ 02 Sep 2011; Tony Vroon <email@example.com> mantisbt-1.2.7-r1.ebuild:
+ Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+ Lazkani in security bug #381417 filed by David Hicks.
Thanks, folks. GLSA Vote: no.
Hi Peter & others,
Thanks for the quick response.
All vulnerabilities have now been fixed and the 1.2.8 release has been tagged in the repository, ready for packaging and release. The original patch I produced has been replaced with a more comprehensive patch for the 1.2.8 release.
A CVE request has been sent to the oss-security mailing list.
Note the potential severity of the LFI vulnerability from my follow-up post to oss-security:
MantisBT allows users to upload attachments to bug reports. These
attachments are commonly stored on the disk in an 'attachments'
directory that should be stored outside the web root (but are still
accessible to MantisBT for retrieval).
This LFI vulnerbility therefore allows arbitrary remote code execution
on a target server (as the web user ID). This level of access could be
used to connect to the MantisBT database and access files and
configuration of other web applications operating under the same uid/gid
as the MantisBT installation.
For example, this LFI vulnerability may allow an attacker to call:
(In reply to comment #6)
> Hi Peter & others,
> Thanks for the quick response.
Thank you, David. I've opened a new bug, 381785, to track the fixes for the other two issues.
Added to pending GLSA request.
This issue was resolved and addressed in
GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).