Debian Bug report logs - #458377
mantis: cross-site scripting in via file upload functionality

version graph

Package: mantis; Maintainer for mantis is Silvia Alvarez <sils@powered-by-linux.com>; Source for mantis is src:mantis.

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 30 Dec 2007 19:30:05 UTC

Severity: important

Tags: patch, security

Fixed in versions mantis/1.0.8-4, mantis/0.19.2-5sarge5

Done: Patrick Schoenfeld <schoenfeld@in-medias-res.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Patrick Schoenfeld <schoenfeld@in-medias-res.com>:
Bug#458377; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Patrick Schoenfeld <schoenfeld@in-medias-res.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: mantis: cross-site scripting in via file upload functionality
Date: Sun, 30 Dec 2007 19:47:08 +0100
[Message part 1 (text/plain, inline)]
Package: mantis
Severity: important
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for matnis.

Advisory[0]:
| seiji has discovered a vulnerability in Mantis, which can be exploited by
| malicious users to conduct script insertion attacks.
| 
| Input passed as the filename for the uploaded file in bug_report.php is not
| properly sanitised before being stored. This can be exploited to insert
| arbitrary HTML and script code, which is executed in a user's browser session
| in context of an affected site when the malicious filename is viewed in
| view.php.
| 
| Successful exploitation requires valid user credentials.

The following patch fixes the problem:
http://www.mantisbt.org/bugs/file_download.php?file_id=1591&type=bug

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://secunia.com/advisories/28185/

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Patrick Schoenfeld <schoenfeld@in-medias-res.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 458377-close@bugs.debian.org (full text, mbox):

From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
To: 458377-close@bugs.debian.org
Subject: Bug#458377: fixed in mantis 1.0.8-4
Date: Mon, 31 Dec 2007 16:17:09 +0000
Source: mantis
Source-Version: 1.0.8-4

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_1.0.8-4.diff.gz
  to pool/main/m/mantis/mantis_1.0.8-4.diff.gz
mantis_1.0.8-4.dsc
  to pool/main/m/mantis/mantis_1.0.8-4.dsc
mantis_1.0.8-4_all.deb
  to pool/main/m/mantis/mantis_1.0.8-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 458377@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Schoenfeld <schoenfeld@in-medias-res.com> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 14 Dec 2007 14:55:26 +0100
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.0.8-4
Distribution: unstable
Urgency: medium
Maintainer: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
Changed-By: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
Description: 
 mantis     - web-based bug tracking system
Closes: 407824 458377
Changes: 
 mantis (1.0.8-4) unstable; urgency=medium
 .
   * Made package work with webservers different than apache2:
        + Changed depend on apache2 to depend on either apache or
          any other httpd via the httpd meta package.
        + Changed depend on libapache2-mod-php5 to depend on either that
          or the php5-cli package.
     (Closes: #407824)
   * Made depend on php5-cli a suggestion instead, because its only needed for a
     few optional scripts.
   * Fixed security issue CVE SA28185 (Closes: #458377)
   * Updated Standards Version
Files: 
 6fa48d9515283e0eeaf1cf8af84c8734 773 web optional mantis_1.0.8-4.dsc
 b1aad2b09a55a2771b3827920c1681f2 34546 web optional mantis_1.0.8-4.diff.gz
 b08d640f61e4f5a449416fad26e7c420 1281472 web optional mantis_1.0.8-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHeRN8AQwuptkwlkQRAnh3AJ9xIWuBEswmbXg4AyERvuje8wOW7wCfR9Fc
4cPcFwTiWV3JIJa49rlQguA=
=XO3M
-----END PGP SIGNATURE-----





Reply sent to Patrick Schoenfeld <schoenfeld@in-medias-res.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 458377-close@bugs.debian.org (full text, mbox):

From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
To: 458377-close@bugs.debian.org
Subject: Bug#458377: fixed in mantis 0.19.2-5sarge5
Date: Mon, 28 Jan 2008 19:52:17 +0000
Source: mantis
Source-Version: 0.19.2-5sarge5

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_0.19.2-5sarge5.diff.gz
  to pool/main/m/mantis/mantis_0.19.2-5sarge5.diff.gz
mantis_0.19.2-5sarge5.dsc
  to pool/main/m/mantis/mantis_0.19.2-5sarge5.dsc
mantis_0.19.2-5sarge5_all.deb
  to pool/main/m/mantis/mantis_0.19.2-5sarge5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 458377@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Schoenfeld <schoenfeld@in-medias-res.com> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 09 Jan 2008 10:24:53 +0100
Source: mantis
Binary: mantis
Architecture: source all
Version: 0.19.2-5sarge5
Distribution: oldstable-security
Urgency: high
Maintainer: Igor Genibel <igenibel@debian.org>
Changed-By: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
Description: 
 mantis     - web-based bug tracking system
Closes: 402802 458377
Changes: 
 mantis (0.19.2-5sarge5) oldstable-security; urgency=high
 .
   * Maintainer upload for the security team
   * Fixed security issue CVE-2007-6611: "Upload File" Script
     insertion vulnerability by applying the patch from sid.
     (Closes: #458377)
   * Fixed security issue CVE-2006-6574: Custom Field Information Disclosure by
     backporting changes in history_api.php from sid
     (Closes: #402802)
   * Fixed security issue: Email notifications bypass security on custom fields
   * Fixed multiple XSS vulnerabilites by backporting changes from upstream
     version 1.0.7
Files: 
 176c95ad5f1142fcb9364540fd19eeea 874 web optional mantis_0.19.2-5sarge5.dsc
 b1c5f077e0046c5b33d77e99a2b4ffe5 46292 web optional mantis_0.19.2-5sarge5.diff.gz
 5708305cbd20cde4825b3adb7d72d3a1 898014 web optional mantis_0.19.2-5sarge5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR4sVoWz0hbPcukPfAQJqMQf/QuiGvAL5OS//Vg5H8YmnYUHujP+I9qe7
eYaTODpsm6N8XhrUYYeiPO92bDYF8IfPJF+Novb2n/2qVoo/q5mV/UcYxeA3m2sw
p0/JdTZIFexifKN5Z/dsK36JH3UOQxSbTzJB5NrNMtypKS9wAkemk0M8EJynKWb+
Te6qdnQNDDAGkNBUBog99xaRz3cqhUCx+Um3pbEO60igzwwoEMb2d4yi1XEqJiKF
qR0HQtu8DnYrMyZ832QOY+56Ju4qY6xfn+RxCqqyu6LmeEI1cUY72VI2t7IuWNKA
Dr2WdF10Eutg958hb1tXCkpgXz1xfxNMDw/YQ8AHQliSJ0UkHun/FA==
=kp5F
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Feb 2008 07:31:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:30:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.