[Secure-testing-team] Bug#780875: mantis: MantisBT <1.2.19 multiple vulnerabilities (Access control bypass/XSS/SQL injection/etc)

Michael Taenzer neo+debian at nhng.de
Fri Mar 20 20:12:26 UTC 2015 

Package: mantis
Version: 1.2.18-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole

Dear Maintainer,

There is an upstream security update that fixes the following security issues:
* CVE-2014-9571: XSS in install.php
* CVE-2014-9572: Improper Access Control in install.php
* CVE-2014-9573: SQL Injection in manage_user_page.php
* CVE-2014-9624: CAPTCHA bypass
* CVE-2014-9701: XSS vulnerability in permalink_page.php
* CVE-2015-1042: URL redirection issue

Also it fixes some regressions introduced in 1.2.18:
* #17993 prevents new users from signing up on systems using CAPTCHA.
* #17967 which causes a PHP error when reporting issues on systems with checkbox custom fields.

Especially the former is really annoying if the only choice is keeping people from signing up or having a lot of spammer accounts.

Changelog is here:
http://mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.19

Thanks for taking care of this issue,
Michael

-- System Information:
Debian Release: 7.8
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mantis depends on:
ii  apache2                      2.2.22-13+deb7u4
ii  apache2-mpm-prefork [httpd]  2.2.22-13+deb7u4
ii  apache2-utils                2.2.22-13+deb7u4
ii  debconf [debconf-2.0]        1.5.49
ii  libapache2-mod-php5          5.4.38-0+deb7u1
ii  libjs-prototype              1.7.0-2
ii  libjs-scriptaculous          1.9.0-2
ii  libnusoap-php                0.7.3-5
ii  libphp-adodb                 5.15-1
ii  libphp-phpmailer             5.1-1
ii  php5-cli                     5.4.38-0+deb7u1
ii  ucf                          3.0025+nmu3

Versions of packages mantis recommends:
ii  mysql-client                     5.5.41-0+wheezy1
ii  mysql-client-5.5 [mysql-client]  5.5.41-0+wheezy1
ii  php5-mysql                       5.4.38-0+deb7u1

Versions of packages mantis suggests:
ii  mysql-server  5.5.41-0+wheezy1
ii  php5-cli      5.4.38-0+deb7u1

-- debconf information excluded

More information about the Secure-testing-team mailing list