Bug 735514 (CVE-2011-3356, CVE-2011-3357, CVE-2011-3358, CVE-2011-3578) - CVE-2011-3356 CVE-2011-3357 CVE-2011-3358 CVE-2011-3578 mantis: multiple flaws fixed in 1.2.8
Summary: CVE-2011-3356 CVE-2011-3357 CVE-2011-3358 CVE-2011-3578 mantis: multiple flaw...
Alias: CVE-2011-3356, CVE-2011-3357, CVE-2011-3358, CVE-2011-3578
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 731854 800667
TreeView+ depends on / blocked
Reported: 2011-09-02 21:06 UTC by Vincent Danen
Modified: 2019-09-29 12:47 UTC (History)
4 users (show)

Fixed In Version: mantis 1.2.8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-03-15 04:17:51 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-09-02 21:06:29 UTC
A local file inclusion/path traversal vulnerability and XSS flaw was found in the Mantis bug tracker version 1.2.7 [1],[2].

[1] https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
[2] https://github.com/mantisbt/mantisbt/commit/a7eacc181185eff1dd7bd8ceaa34a91cf86cc298

Comment 1 Vincent Danen 2011-09-02 21:07:49 UTC
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 731854]
Affects: epel-5 [bug 731855]

Comment 2 Vincent Danen 2011-09-06 22:28:49 UTC
Version 1.2.8 has been released:


Also upgrading the severity based on the author's following comments:

I don't think my earlier message conveyed the severity of this bug well

MantisBT allows users to upload attachments to bug reports. These
attachments are commonly stored on the disk in an 'attachments'
directory that should be stored outside the web root (but are still
accessible to MantisBT for retrieval).

This LFI vulnerbility therefore allows arbitrary remote code execution
on a target server (as the web user ID). This level of access could be
used to connect to the MantisBT database and access files and
configuration of other web applications operating under the same uid/gid
as the MantisBT installation.

For example, this LFI vulnerability may allow an attacker to call:

Note that as per the earlier notice, some users (such as those using
nginx) may not be impacted at all.

Comment 3 Gianluca Sforna 2011-09-07 08:45:28 UTC
Starting the update process.

However, I need to note the impact of the flaw is not as severe for those using the default settings, that is, storing attachments in the database.

Comment 4 Vincent Danen 2011-09-09 23:22:15 UTC
CVE assignments for flaws fixed in 1.2.8 are as follows:

CVE-2011-3356: XSS injection via PHP_SELF [1],[2]
CVE-2011-3357: LFI and XSS via bug_actiongroup_ext_page.php [3]
CVE-2011-3358: XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php [3]

[1] https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
[2] http://www.mantisbt.org/bugs/view.php?id=13191
[3] http://www.mantisbt.org/bugs/view.php?id=13281

Comment 5 Vincent Danen 2011-09-21 19:28:24 UTC
Another CVE assignment was made:

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3578 to
the following vulnerability:

Name: CVE-2011-3578
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3578
Assigned: 20110921
Reference: http://www.securityfocus.com/archive/1/archive/1/519547/100/0/threaded
Reference: http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html
Reference: http://www.openwall.com/lists/oss-security/2011/09/04/1
Reference: http://www.openwall.com/lists/oss-security/2011/09/04/2
Reference: http://www.openwall.com/lists/oss-security/2011/09/09/9
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297
Reference: http://www.mantisbt.org/bugs/view.php?id=13281
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=735514
Reference: https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d
Reference: https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f
Reference: http://www.debian.org/security/2011/dsa-2308
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066061.html
Reference: http://www.securityfocus.com/bid/49448
Reference: http://secunia.com/advisories/45961

Cross-site scripting (XSS) vulnerability in
bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote
attackers to inject arbitrary web script or HTML via the action
parameter, related to bug_actiongroup_page.php, a different
vulnerability than CVE-2011-3357.

Comment 6 Vincent Danen 2012-08-10 19:00:52 UTC
Currently supported Fedora versions have 1.2.8, which include the fix.  EPEL5's 1.1.8 may yet be affected by (or a subset of) these issues.

Comment 7 Vincent Danen 2013-03-15 04:17:51 UTC
EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned.  As a result I'm closing this bug as this issue is fixed in Fedora.  The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed.

Note You need to log in before you can comment on or make changes to this bug.