Bug 633011

Summary: Mantis: Vulnerable to CVE-2010-3070 (XSS in php-nusoap) due use of embedded copy of nusoap library
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: d, giallu, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-01 20:15:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 629585, 634341    
Bug Blocks:    

Description Jan Lieskovsky 2010-09-12 13:17:05 UTC 
An XSS flaw has been reported against NuSOAP (original report against Mantis)
[1] http://www.mantisbt.org/bugs/view.php?id=12312

Report against NuSOAP:
[2] http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005

David Hicks of Mantis community provided a temporary fix:
[3] http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=edb817991b99cd5538f102be26865fde7c6b7212

till the issue is addressed on NuSOAP side. The versions of php-nusoap
packages, as shipped with Fedora release of 12 and 13 has been already
updated:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=629585
[5] https://bugzilla.redhat.com/show_bug.cgi?id=629585#c2
[6] https://bugzilla.redhat.com/show_bug.cgi?id=629585#c3

But the versions of Mantis, as shipped with Fedora release of 12 and 13
are still prone to this issue (because it uses own embedded copy of the NuSOAP
library and not the system one).

Please fix this issue by making Mantis to use the system php-NuSOAP library,
instead of his embbeded own copy.
Comment 1 David Hicks 2010-09-15 00:35:43 UTC 
MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy in the bundled version of NuSOAP (and another few minor XSS issues).

http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net

http://sourceforge.net/projects/mantisbt/files/
Comment 2 Vincent Danen 2010-09-15 20:17:47 UTC 
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 634341]
Comment 3 Gianluca Sforna 2010-10-01 20:15:18 UTC 
The update was pushed lately (1.1.8-4), looks like something did not work with auto-closing and commenting.