This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 633011 - Mantis: Vulnerable to CVE-2010-3070 (XSS in php-nusoap) due use of embedded copy of nusoap library
Mantis: Vulnerable to CVE-2010-3070 (XSS in php-nusoap) due use of embedded c...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100831,reported=20100903,sou...
: Security
Depends On: CVE-2010-3070 634341
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-12 09:17 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:43 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-01 16:15:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-09-12 09:17:05 EDT
An XSS flaw has been reported against NuSOAP (original report against Mantis)
[1] http://www.mantisbt.org/bugs/view.php?id=12312

Report against NuSOAP:
[2] http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005

David Hicks of Mantis community provided a temporary fix:
[3] http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=edb817991b99cd5538f102be26865fde7c6b7212

till the issue is addressed on NuSOAP side. The versions of php-nusoap
packages, as shipped with Fedora release of 12 and 13 has been already
updated:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=629585
[5] https://bugzilla.redhat.com/show_bug.cgi?id=629585#c2
[6] https://bugzilla.redhat.com/show_bug.cgi?id=629585#c3

But the versions of Mantis, as shipped with Fedora release of 12 and 13
are still prone to this issue (because it uses own embedded copy of the NuSOAP
library and not the system one).

Please fix this issue by making Mantis to use the system php-NuSOAP library,
instead of his embbeded own copy.
Comment 1 David Hicks 2010-09-14 20:35:43 EDT
MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy in the bundled version of NuSOAP (and another few minor XSS issues).

http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net

http://sourceforge.net/projects/mantisbt/files/
Comment 2 Vincent Danen 2010-09-15 16:17:47 EDT
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 634341]
Comment 3 Gianluca Sforna 2010-10-01 16:15:18 EDT
The update was pushed lately (1.1.8-4), looks like something did not work with auto-closing and commenting.

Note You need to log in before you can comment on or make changes to this bug.