[arch-security] [ASA-201502-3] mantisbt: multiple issues
anthraxx at archlinux.org
Fri Feb 6 11:05:08 UTC 2015
Arch Linux Security Advisory ASA-201502-3
Date : 2015-02-06
CVE-ID : CVE-2014-9571 CVE-2014-9572 CVE-2014-9573 CVE-2014-9624
Package : mantisbt
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package mantisbt before version 1.2.19-1 is vulnerable to multiple
issues including cross-side scripting, database credential disclosure,
sql injection, captcha bypass and url redirection.
Upgrade to 1.2.19-1.
# pacman -Syu "mantisbt>=1.2.19-1"
The problems have been fixed upstream in version 1.2.19.
- CVE-2014-9571 (cross-side scripting)
Cross-site scripting (XSS) vulnerability in admin/install.php allows
remote attackers to inject arbitrary web script or HTML via the (1)
admin_username or (2) admin_password parameter.
- CVE-2014-9572 (information disclosure)
It was discovered that mantisbt does not properly restrict access to
/*/install.php, which allows remote attackers to obtain database
credentials via the install parameter with the value 4.
- CVE-2014-9573 (sql injection)
SQL injection vulnerability in manage_user_page.php allows remote
administrators with FILE privileges to execute arbitrary SQL commands
via the MANTIS_MANAGE_USERS_COOKIE cookie.
- CVE-2014-9624 (captcha bypass)
An attacker can get an unlimited amount of CAPTCHA "samples" with
different perturbations for the same challenge, which makes the whole
captcha utterly useless and very easy to bypass.
- CVE-2015-1042 (url redirection)
A bug in the URL sanitization routine allows an attacker to craft an URL
that can redirect outside of the MantisBT instance's domain.
This is related to CVE-2014-6316 , and the same API function is
affected by the same vulnerability, but the root cause is different.
A remote attacker is able to perform cross-side scripting, obtain
database credentials, execute arbitrary SQL commands when having
administrator privileges, bypass captchas or craft an URL that redirects
to any domain.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security