ports/129438: [vuxml] database/mantis: document vulnerabilities in 1.1.3 and 1.1.2
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Fri Dec 5 19:30:05 UTC 2008
>Number: 129438
>Category: ports
>Synopsis: [vuxml] database/mantis: document vulnerabilities in 1.1.3 and 1.1.2
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 05 19:30:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
Mantis < 1.1.3 has two vulnerabilities:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689
Mantis < 1.1.4 has remote PHP code execution for the authenticated users:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4687
>How-To-Repeat:
See references above and
http://www.mantisbt.org/bugs/changelog_page.php?version_id=99
http://www.mantisbt.org/bugs/changelog_page.php?version_id=97
Original PR, ports/128938, talks about these, but VuXML entries
were not created and submitted.
>Fix:
The following VuXML entries should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="3ae82551-c2e3-11dd-a16b-001fc66e7203">
<topic>mantis -- arbitrary PHP code execution by authenticated users</topic>
<affects>
<package>
<name>mantis</name>
<range><lt>1.1.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An entry for CVE-2008-4687 says:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4687">
<p>manage_proj_page.php in Mantis before 1.1.4 allows remote
authenticated users to execute arbitrary code via a sort
parameter containing PHP sequences, which are processed by
create_function within the multi_sort function in
core/utility_api.php.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4687</cvename>
<url>http://www.mantisbt.org/bugs/view.php?id=0009704</url>
<url>http://www.milw0rm.com/exploits/6768</url>
<url>http://secunia.com/advisories/32314</url>
</references>
<dates>
<discovery>17-10-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
--- vuln.xml begins here ---
<vuln vid="c7ded430-c2dd-11dd-a16b-001fc66e7203">
<topic>mantis -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mantis</name>
<range><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2008-4688 says:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688">
<p>core/string_api.php in Mantis before 1.1.3 does not check
the privileges of the viewer before composing a link with
issue data in the source anchor, which allows remote attackers
to discover an issue's title and status via a request with a
modified issue number.</p>
</blockquote>
<p>Entry for CVE-2008-4689 says:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688">
<p>Mantis before 1.1.3 does not unset the session cookie
during logout, which makes it easier for remote attackers
to hijack sessions.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mantisbt.org/bugs/changelog_page.php?version_id=97</url>
<cvename>CVE-2008-4688</cvename>
<url>http://www.mantisbt.org/bugs/view.php?id=9321</url>
<cvename>CVE-2008-4689</cvename>
<url>http://www.mantisbt.org/bugs/view.php?id=9664</url>
<url>http://xforce.iss.net/xforce/xfdb/46084</url>
</references>
<dates>
<discovery>22-11-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list