'[oss-security] Re: SQL injection vulnerability in MantisBT SOAP API'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: SQL injection vulnerability in MantisBT SOAP API
From:       Damien Regad <dregad () mantisbt ! org>
Date:       2014-10-30 21:44:32
Message-ID: m2ubg1$6og$1 () ger ! gmane ! org
[Download RAW message or body]

On 30.10.2014 22:07, P Richards wrote:
> CVE-2014-8554 is already assigned to this issue...

Sorry for the confusion here - Paul and I were actually both working on
the same issue simultaneously and without knowing it, and we both came
up with a patch and a CVE request...

So please disregard my earlier request, and let's use CVE-2014-8554
moving forward.

That said, it would be useful indeed if someone could update
CVE-2014-8554 with the data below, as this will become the "official"
reference for the issue and the fix.

> -----Original Message-----
> From: dregad@gmail.com [mailto:dregad@gmail.com] On Behalf Of Damien Regad
> Sent: 30 October 2014 20:55
> To: oss-security@lists.openwall.com
> Subject: [oss-security] SQL injection vulnerability in MantisBT SOAP API
> 
> Description:
> 
> Several SQL injection vulnerabilities were identified in CVE-2014-1609, and subsequently \
> fixed in MantisBT release 1.2.16 [1]. 
> However, it was recently discovered that the patch did not fully address the original problem \
> in the SOAP API. Research demonstrates that using a specially crafted 'project id' parameter \
> when calling mc_project_get_attachments(), an attacker could still perform an SQL injection. 
> Affected versions:
> MantisBT >= 1.1.0a4, <= 1.2.17
> 
> Fixed in versions:
> 1.2.18 (not yet released)
> 
> Credit:
> Issue was discovered by
> - Edwin Gozeling and Wim Visser from ITsec Security Services BV
> (http://www.itsec.nl)
> - Paul Richards (former MantisBT developer)
> 
> References:
> - further details, including patch available in our issue tracker [2] (
> 
> Please assign a CVE ID for this issue, which is a follow-up on
> CVE-2014-1609 (the released fix of which was incomplete).
> 
> [1] http://www.mantisbt.org/bugs/view.php?id=16880
> [2] http://www.mantisbt.org/bugs/view.php?id=17812
> 
> 


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic