Bug 735514 (CVE-2011-3356, CVE-2011-3357, CVE-2011-3358, CVE-2011-3578)
Summary: | CVE-2011-3356 CVE-2011-3357 CVE-2011-3358 CVE-2011-3578 mantis: multiple flaws fixed in 1.2.8 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | giallu, guillaume, rpm, sven |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mantis 1.2.8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-03-15 04:17:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 731854, 800667 | ||
Bug Blocks: |
Description
Vincent Danen
2011-09-02 21:06:29 UTC
Created mantis tracking bugs for this issue Affects: fedora-all [bug 731854] Affects: epel-5 [bug 731855] Version 1.2.8 has been released: http://www.mantisbt.org/blog/?p=146 Also upgrading the severity based on the author's following comments: I don't think my earlier message conveyed the severity of this bug well enough. MantisBT allows users to upload attachments to bug reports. These attachments are commonly stored on the disk in an 'attachments' directory that should be stored outside the web root (but are still accessible to MantisBT for retrieval). This LFI vulnerbility therefore allows arbitrary remote code execution on a target server (as the web user ID). This level of access could be used to connect to the MantisBT database and access files and configuration of other web applications operating under the same uid/gid as the MantisBT installation. For example, this LFI vulnerability may allow an attacker to call: require_once('../var/www/example.com/data/mantisbt/attachments/123456-malicious_attachment.php') Note that as per the earlier notice, some users (such as those using nginx) may not be impacted at all. Starting the update process. However, I need to note the impact of the flaw is not as severe for those using the default settings, that is, storing attachments in the database. CVE assignments for flaws fixed in 1.2.8 are as follows: CVE-2011-3356: XSS injection via PHP_SELF [1],[2] CVE-2011-3357: LFI and XSS via bug_actiongroup_ext_page.php [3] CVE-2011-3358: XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php [3] [1] https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html [2] http://www.mantisbt.org/bugs/view.php?id=13191 [3] http://www.mantisbt.org/bugs/view.php?id=13281 Another CVE assignment was made: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3578 to the following vulnerability: Name: CVE-2011-3578 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3578 Assigned: 20110921 Reference: http://www.securityfocus.com/archive/1/archive/1/519547/100/0/threaded Reference: http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html Reference: http://www.openwall.com/lists/oss-security/2011/09/04/1 Reference: http://www.openwall.com/lists/oss-security/2011/09/04/2 Reference: http://www.openwall.com/lists/oss-security/2011/09/09/9 Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297 Reference: http://www.mantisbt.org/bugs/view.php?id=13281 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=735514 Reference: https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d Reference: https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f Reference: http://www.debian.org/security/2011/dsa-2308 Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066061.html Reference: http://www.securityfocus.com/bid/49448 Reference: http://secunia.com/advisories/45961 Cross-site scripting (XSS) vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the action parameter, related to bug_actiongroup_page.php, a different vulnerability than CVE-2011-3357. Currently supported Fedora versions have 1.2.8, which include the fix. EPEL5's 1.1.8 may yet be affected by (or a subset of) these issues. EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned. As a result I'm closing this bug as this issue is fixed in Fedora. The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed. |