Launchpad has imported 10 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=663230.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2010-12-15T03:19:40+00:00 David wrote: The MantisBT project was notified by Gjoko Krstic of Zero Science Lab ([email protected]) of multiple vulnerabilities affecting MantisBT <1.2.4. The two following advisories have been released explaining the vulnerabilities in greater detail: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php As one of these vulnerabilities allows the reading of arbitrary files from the file system we are treating this issue with critical severity. Please note that this issue only affects users who have not removed the "admin" directory from their MantisBT installation. We recommend, instruct and warn users to remove this directory after installation however it is clear that many users ignore these warnings. I have requested CVE numbers via oss-sec (awaiting list moderation). As Redhat is using MantisBT 1.1.x you will need to apply the following patch to resolve the issue in this older version of MantisBT: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590 We have also released MantisBT 1.2.4 which resolves the issue for users of our stable 1.2.x branch. The bug report tracking this issue upstream at MantisBT: http://www.mantisbt.org/bugs/view.php?id=12607 If there are any questions or concerns please feel free to contact me. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/0 ------------------------------------------------------------------------ On 2010-12-15T10:20:31+00:00 Jan wrote: (In reply to comment #0) Hi David, thank you for such a complete report. > > I have requested CVE numbers via oss-sec (awaiting list moderation). Looks like the CVE identifiers request did not made it to oss-security yet. To Gianluca: We will update this bug with CVE identifiers later, once they are assigned to the issues. Could you please schedule Fedora MantisBT updates with the patch below? (Fedora bug will follow shortly) > > As Redhat is using MantisBT 1.1.x you will need to apply the following > patch to resolve the issue in this older version of MantisBT: > http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590 Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/6 ------------------------------------------------------------------------ On 2010-12-15T10:23:55+00:00 Jan wrote: These issues affect the versions of the mantis package, as shipped with Fedora release of 13 and 14. These issues affect the version of the mantis package, as present within EPEL-5 repository. Please schedule an update (patch is above). Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/7 ------------------------------------------------------------------------ On 2010-12-15T10:27:47+00:00 Jan wrote: Public PoCs (from http://www.mantisbt.org/bugs/view.php?id=12607): 1), cross-site scripting (XSS): http://[mantis_root_host]/admin/upgrade_unattended.php?db_type=%3Cscript%3Ealert%281%29%3C/script%3E 2), local file inclusion (LFI): http://[mantis_root_host]/admin/upgrade_unattended.php?db_type=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 3), path disclosure (PD): http://[mantis_root_host]/admin/upgrade_unattended.php?db_type=%27 Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/8 ------------------------------------------------------------------------ On 2010-12-15T10:30:51+00:00 Jan wrote: Created mantis tracking bugs for this issue Affects: fedora-all [bug 663299] Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/9 ------------------------------------------------------------------------ On 2010-12-15T10:37:54+00:00 Gianluca wrote: I guess it's relevant to note the default apache configuration provided with the mantis package includes the following. # Admin directory access is disabled by default; do not change this unless # you are performing the first installation or a database schema update. # See README.Fedora for more details <Directory /usr/share/mantis/admin> Order Deny,Allow Deny from All Allow from None </Directory> Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/10 ------------------------------------------------------------------------ On 2010-12-15T10:53:56+00:00 David wrote: Thanks Jan & Gianluca. Debian (and by extension Ubuntu) use the same Apache configuration to help protect the /admin/ directory. As a result they have decided that the severity of the bug is not as high as first anticipated by upstream. I guess it comes down to whether a typical user of this package will keep the /admin/ directory permissions in a locked down state. This issue is more of a concern for Gentoo (and MantisBT users using the upstream package) where the /admin/ directory permissions are not in place. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/11 ------------------------------------------------------------------------ On 2010-12-16T14:11:13+00:00 David wrote: >From Josh Bressers (oss-sec mailing list): CVE-2010-4348: Cross site scripting CVE-2010-4349: Path disclosure CVE-2010-4350: Local file inclusion Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/14 ------------------------------------------------------------------------ On 2010-12-16T14:38:52+00:00 Jan wrote: Gianluca, David, thank you for the comments: https://bugzilla.redhat.com/show_bug.cgi?id=663230#c5 https://bugzilla.redhat.com/show_bug.cgi?id=663230#c6 (In reply to comment #5) > I guess it's relevant to note the default apache configuration provided with > the mantis package includes the following. > > > # Admin directory access is disabled by default; do not change this unless > # you are performing the first installation or a database schema update. > # See README.Fedora for more details Based on the above comments decreased severity of the issues to moderate. But we should still address them (to sanitize / protect also not so likely configurations). Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/15 ------------------------------------------------------------------------ On 2011-02-21T23:23:55+00:00 Gianluca wrote: This was fixed in 1.1.8-5 Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/23 ** Changed in: mantis (Fedora) Status: Unknown => Fix Released ** Changed in: mantis (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/690482 Title: MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
