Hi.
On Wed, Dec 15, 2010 at 02:07:43PM +1100, David Hicks wrote:
>
> The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
> (gj...@zeroscience.mk) of multiple vulnerabilities affecting MantisBT
> <1.2.4.
>
> The two following advisories have been released explaining the
> vulnerabilities in greater detail:
>
> http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
> http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php
>
> As one of these vulnerabilities allows the reading of arbitrary files
> from the file system we are treating this issue with critical severity.
> Please note that this issue only affects users who have not removed the
> "admin" directory from their MantisBT installation. We recommend,
> instruct and warn users to remove this directory after installation
> however it is clear that many users ignore these warnings.
>
> I have requested CVE numbers via oss-sec (awaiting list moderation).
>
> As Debian is using MantisBT 1.1.x you will need to apply the following
> patch to resolve the issue in this older version of MantisBT:
> http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590
>
AFAICT, Debian installations may not be vulnerable as the admin/ dir is
protected in principle by the Apache configuration of the package :
# The Administrative directory should not be publicly accessible,
# since the tools herein allow for access to the database without
# authentications.
<Directory /usr/share/mantis/www/admin>
order deny,allow
deny from all
</Directory>
Still, removing it completely may be safer.
Of course, applying a patch wouldn't hurt.
Maybe the security/severity should be downgraded ?
I'll let the maintainer or other Debian security team complement the analysis.
Best regards,
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
