tags 669930 +patch thanks Hi,
Attached you'll find a possible patch for CVE-2012-1123. Description: Fix for CVE-2012-1123: SOAP API null password authentication bypass Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13901 Bug-Debian: http://bugs.debian.org/669930 Origin: https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f Last-Update: 2012-04-21 Note: Needs some testing! Regards, -- Dario Minnucci <mid...@debian.org> Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000 Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
Description: Fix for CVE-2012-1123: SOAP API null password authentication bypass Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13901 Bug-Debian: http://bugs.debian.org/669930 Origin: https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f Last-Update: 2012-04-21 Index: mantis/api/soap/mc_api.php =================================================================== --- mantis.orig/api/soap/mc_api.php 2012-04-21 22:30:38.716554517 +0200 +++ mantis/api/soap/mc_api.php 2012-04-21 22:47:43.953413955 +0200 @@ -57,6 +57,11 @@ # do not use password validation. $p_password = null; + } else { + if( is_blank( $p_password ) ) { + # require password for authenticated access + return false; + } } if ( false === auth_attempt_script_login( $p_username, $p_password ) ) { @@ -466,4 +471,4 @@ return $t_stack; } - ?> \ No newline at end of file + ?>
signature.asc
Description: OpenPGP digital signature
