Hi. Le samedi 04 septembre 2010 à 16:31 -0400, Michael Gilbert a écrit : > On Sat, 04 Sep 2010 20:53:33 +0200 sils wrote: > > > version 595510 1.2.x > > forwarded 595510 http://www.mantisbt.org/bugs/view.php?id=12312 > > thanks > > according to that bug report the issue is actually in nusoap. i see > that mantis already depends on that. if you are completely sure that > mantis doesn't use its embedded version, we should reassign the bug. >
Repeating myself from : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595510#26 in case you'd have missed it : The description of CVE-2010-2574 : "Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action." mentions things I doubt are related to nusoap and mantis SOAP interface. I've already removed the forwarded property for #595510, as a consequence. Other links may need to be adjusted in case (security tracker ?). I think that's here a completely distinct XSS issue relating to pure Mantis code, but couldn't find more details so far in upstream tracker (at mantisbt.org). Hope this helps. Best regards, -- Olivier BERGER <olivier.ber...@it-sudparis.eu> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
