[arch-security] [ASA-201502-3] mantisbt: multiple issues

Levente Polyak anthraxx at archlinux.org
Fri Feb 6 11:05:08 UTC 2015 

Arch Linux Security Advisory ASA-201502-3
=========================================

Severity: High
Date    : 2015-02-06
CVE-ID  : CVE-2014-9571 CVE-2014-9572 CVE-2014-9573 CVE-2014-9624
          CVE-2015-1042
Package : mantisbt
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package mantisbt before version 1.2.19-1 is vulnerable to multiple
issues including cross-side scripting, database credential disclosure,
sql injection, captcha bypass and url redirection.

Resolution
==========

Upgrade to 1.2.19-1.

# pacman -Syu "mantisbt>=1.2.19-1"

The problems have been fixed upstream in version 1.2.19.

Workaround
==========

None.

Description
===========

- CVE-2014-9571 (cross-side scripting)
Cross-site scripting (XSS) vulnerability in admin/install.php allows
remote attackers to inject arbitrary web script or HTML via the (1)
admin_username or (2) admin_password parameter.

- CVE-2014-9572 (information disclosure)
It was discovered that mantisbt does not properly restrict access to
/*/install.php, which allows remote attackers to obtain database
credentials via the install parameter with the value 4.

- CVE-2014-9573 (sql injection)
SQL injection vulnerability in manage_user_page.php allows remote
administrators with FILE privileges to execute arbitrary SQL commands
via the MANTIS_MANAGE_USERS_COOKIE cookie.

- CVE-2014-9624 (captcha bypass)
An attacker can get an unlimited amount of CAPTCHA "samples" with
different perturbations for the same challenge, which makes the whole
captcha utterly useless and very easy to bypass.

- CVE-2015-1042 (url redirection)
A bug in the URL sanitization routine allows an attacker to craft an URL
that can redirect outside of the MantisBT instance's domain.
This is related to CVE-2014-6316 [1], and the same API function is
affected by the same vulnerability, but the root cause is different.

Impact
======

A remote attacker is able to perform cross-side scripting, obtain
database credentials, execute arbitrary SQL commands when having
administrator privileges, bypass captchas or craft an URL that redirects
to any domain.

References
==========

https://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.19
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9571
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9572
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9573
https://access.redhat.com/security/cve/CVE-2014-9624
https://access.redhat.com/security/cve/CVE-2015-1042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150206/6d2b6d09/attachment.asc>

More information about the arch-security mailing list