FS#42683 - [mantisbt] CVE-2014-8554: SQL injection vulnerability

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Tuesday, 04 November 2014, 22:02 GMT
Last edited by Maxime Gauduin (Alucryd) - Wednesday, 05 November 2014, 15:36 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Maxime Gauduin (Alucryd)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Summary:
It has been reported [0] that mantisbt 1.2.17 is vulnerable to a SQL injection vulnerability tracked as CVE-2014-8554 [1].

Description:
When the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorised, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible.

Mitigation:
The problem has been fixed upstream [2] but no release is available yet.
Vendor will release a new version in the following days, but as this issue is critical and the patch [2] is very simple its highly recommend to apply the patch [2] as long as no release is available.

[0] http://seclists.org/oss-sec/2014/q4/478
[1] https://access.redhat.com/security/cve/CVE-2014-8554
[2] https://github.com/mantisbt/mantisbt/commit/99ffb0af
This task depends upon

Closed by  Maxime Gauduin (Alucryd)
Wednesday, 05 November 2014, 15:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.2.17-3
Comment by Maxime Gauduin (Alucryd) - Wednesday, 05 November 2014, 15:35 GMT
Agreed, package updated, thx for reporting.

Loading...