Bug 663230 (CVE-2010-4348, CVE-2010-4349, CVE-2010-4350) - CVE-2010-4348 CVE-2010-4349 CVE-2010-4350 MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)
Summary: CVE-2010-4348 CVE-2010-4349 CVE-2010-4350 MantisBT <1.2.4 multiple vulnerabil...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4348, CVE-2010-4349, CVE-2010-4350
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.mantisbt.org/bugs/view.php...
Whiteboard:
Depends On: 663299
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-15 03:19 UTC by David Hicks
Modified: 2019-09-29 12:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-21 23:23:55 UTC
Embargoed:


Attachments (Terms of Use)

Description David Hicks 2010-12-15 03:19:40 UTC
The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(gjoko) of multiple vulnerabilities affecting MantisBT
<1.2.4.

The two following advisories have been released explaining the
vulnerabilities in greater detail:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php

As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.

I have requested CVE numbers via oss-sec (awaiting list moderation).

As Redhat is using MantisBT 1.1.x you will need to apply the following
patch to resolve the issue in this older version of MantisBT:
http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

We have also released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch.

The bug report tracking this issue upstream at MantisBT:
http://www.mantisbt.org/bugs/view.php?id=12607

If there are any questions or concerns please feel free to contact me.

Comment 1 Jan Lieskovsky 2010-12-15 10:20:31 UTC
(In reply to comment #0)
Hi David,

  thank you for such a complete report.

> 
> I have requested CVE numbers via oss-sec (awaiting list moderation).

  Looks like the CVE identifiers request did not made it to oss-security
yet.

To Gianluca: We will update this bug with CVE identifiers later, once
they are assigned to the issues. Could you please schedule Fedora MantisBT
updates with the patch below? (Fedora bug will follow shortly)

> 
> As Redhat is using MantisBT 1.1.x you will need to apply the following
> patch to resolve the issue in this older version of MantisBT:
> http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 2 Jan Lieskovsky 2010-12-15 10:23:55 UTC
These issues affect the versions of the mantis package, as shipped
with Fedora release of 13 and 14.

These issues affect the version of the mantis package, as present
within EPEL-5 repository.

Please schedule an update (patch is above).

Comment 4 Jan Lieskovsky 2010-12-15 10:30:51 UTC
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 663299]

Comment 5 Gianluca Sforna 2010-12-15 10:37:54 UTC
I guess it's relevant to note the default apache configuration provided with the mantis package includes the following.


# Admin directory access is disabled by default; do not change this unless
# you are performing the first installation or a database schema update.
# See README.Fedora for more details
<Directory /usr/share/mantis/admin>
	Order   Deny,Allow
	Deny    from All
	Allow   from None
</Directory>

Comment 6 David Hicks 2010-12-15 10:53:56 UTC
Thanks Jan & Gianluca.

Debian (and by extension Ubuntu) use the same Apache configuration to help protect the /admin/ directory. As a result they have decided that the severity of the bug is not as high as first anticipated by upstream.

I guess it comes down to whether a typical user of this package will keep the /admin/ directory permissions in a locked down state.

This issue is more of a concern for Gentoo (and MantisBT users using the upstream package) where the /admin/ directory permissions are not in place.

Comment 7 David Hicks 2010-12-16 14:11:13 UTC
From Josh Bressers (oss-sec mailing list):

CVE-2010-4348: Cross site scripting
CVE-2010-4349: Path disclosure
CVE-2010-4350: Local file inclusion

Comment 8 Jan Lieskovsky 2010-12-16 14:38:52 UTC
Gianluca, David, thank you for the comments:
https://bugzilla.redhat.com/show_bug.cgi?id=663230#c5
https://bugzilla.redhat.com/show_bug.cgi?id=663230#c6

(In reply to comment #5)
> I guess it's relevant to note the default apache configuration provided with
> the mantis package includes the following.
> 
> 
> # Admin directory access is disabled by default; do not change this unless
> # you are performing the first installation or a database schema update.
> # See README.Fedora for more details

Based on the above comments decreased severity of the issues
to moderate. But we should still address them (to sanitize /
protect also not so likely configurations).

Comment 9 Gianluca Sforna 2011-02-21 23:23:55 UTC
This was fixed in 1.1.8-5


Note You need to log in before you can comment on or make changes to this bug.