Secure testing team - Mar 2006 - Re: Bug#335938: mantis: Mantis ''t_core_path'' File Inclusion Vulnerability

On Thu, October 27, 2005 11:26, Moritz Muehlenhoff
wrote:
> I assume you''ve prepared packages of 0.19.3?
> This would address the SQL injection issue and the other XSS in
> view_all_set as well, which are both not yet in the BTS.
Yes, I have.



Thijs

Moritz Muehlenhoff wrote:
> Thijs Kinkhorst wrote:
> > > Another security problem has been found in mantis. Insufficient
> > > input sanitising of the t_core_path parameter may be exploited to
perform
> > > arbitrary file inclusion. Please see
> > > http://secunia.com/secunia_research/2005-46/advisory/ for
details.
> > 
> > Hello Moritz,
> > 
> > Thank you for your report. I''ve prepared an NMU for all the
recent
> > security problems in Mantis which is now awaiting review by my
sponsor.
> 
> I assume you''ve prepared packages of 0.19.3?
> This would address the SQL injection issue and the other XSS in
view_all_set
> as well, which are both not yet in the BTS.
> 
> The latest issues have been assigned CVE-2005-333[6789], BTW.
Do you have an idea which of them affect woody/sarge?

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erd?s

Please always Cc to me when replying to me on the lists.

On Thu, October 27, 2005 14:56, Martin Schulze wrote:
>> I assume you''ve prepared packages of 0.19.3?
>> This would address the SQL injection issue and the other XSS in
>> view_all_set as well, which are both not yet in the BTS.
>>
>> The latest issues have been assigned CVE-2005-333[6789], BTW.
>>
>
> Do you have an idea which of them affect woody/sarge?
I do about sarge, all of them affect sarge, don''t know about woody. I
will
be preparing an upload for sarge soon, and investigate into woody.
Can''t
promise anything about woody though since the version is very different
from the current sarge/sid versions. But I will keep you all posted.


Thijs

Martin Schulze wrote:
> > Thijs Kinkhorst wrote:
> > > > Another security problem has been found in mantis.
Insufficient
> > > > input sanitising of the t_core_path parameter may be
exploited to perform
> > > > arbitrary file inclusion. Please see
> > > > http://secunia.com/secunia_research/2005-46/advisory/ for
details.
> > > 
> > > Hello Moritz,
> > > 
> > > Thank you for your report. I''ve prepared an NMU for all
the recent
> > > security problems in Mantis which is now awaiting review by my
sponsor.
> > 
> > I assume you''ve prepared packages of 0.19.3?
> > This would address the SQL injection issue and the other XSS in
view_all_set
> > as well, which are both not yet in the BTS.
> > 
> > The latest issues have been assigned CVE-2005-333[6789], BTW.
> 
> Do you have an idea which of them affect woody/sarge?
All affect Sarge. 0.19.2 -> 0.19.3 only contains the security fixes plus a
minor
non-security bug fix, so it should be rather easy to extract the patches.
I''ve attached a white-space-cleaned interdiff. More could be stripped,
but
I''m not entirely sure which code is related to
" [bugtracker] System warning in login_page.php when no new installation
(vboctor)"
(this is the only non-security change listed, but I''m not sure which
one it is)

Woody seems unaffected, but 3337 should be double-checked in a real-life
environment.

CVE-2005-3339: (mantis bug 6097)
 The vulnerable code is not present.

CVE-2005-3338: (mantis bug 5247)
 The vulnerable code isn''t present, either.

CVE-2005-3337: (mantis bugs 5959, 5751)
 Access to the bug description of 5959 is restricted, but view_all_set.php is
not
 present in Woody''s version, so it shouldn''t be vulnerable.
 The XSS from 5751 can only be triggered through code from
bug_actiongroup_page.php,
 which is not present in Woody, but might have an equivalent in 0.17. I
couldn''t
 find it with grep, but it should again be tested in a production mantis
environment,
 as the bug contains a demo page with the XSS.

CVE-2005-3336: (mantis bug 6275)
 This one is denied as well, but judging from the interdiff the injection would
 take place in lost_pwd.php and that code isn''t present in 0.17

CVE-2005-3335: (mantis bug 6273)
 Denied again, but with the information from the original Secunia advisory
I''m sure
 Woody isn''t affected either, as the vulnerable functionality
isn''t present in 0.17.

Cheers,
        Moritz
-------------- next part --------------
diff -Nawur mantis-0.19.2/bug_actiongroup_page.php
mantis-0.19.3/bug_actiongroup_page.php
--- mantis-0.19.2/bug_actiongroup_page.php	2004-11-22 14:36:50.000000000 +0100
+++ mantis-0.19.3/bug_actiongroup_page.php	2005-09-25 15:33:48.000000000 +0200
@@ -114,7 +114,7 @@
 foreach( $f_bug_arr as $t_bug_id ) { 
 	$t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
 	$t_bug_rows .= sprintf( "<tr bgcolor=\"%s\">
<td>%s</td> <td>%s</td> </tr>\n"
-		, get_status_color( bug_get_field( $t_bug_id, ''status'' ) ),
string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id,
''summary'' )
+		, get_status_color( bug_get_field( $t_bug_id, ''status'' ) ),
string_get_bug_view_link( $t_bug_id ), string_attribute( bug_get_field(
$t_bug_id, ''summary'' ) )
     );
 	echo ''<input type="hidden" name="bug_arr[]"
value="'' . $t_bug_id . ''" />'' .
"\n";
 }
diff -Nawur mantis-0.19.2/bug_sponsorship_list_view_inc.php
mantis-0.19.3/bug_sponsorship_list_view_inc.php
--- mantis-0.19.2/bug_sponsorship_list_view_inc.php	2004-07-21
14:38:36.000000000 +0200
+++ mantis-0.19.3/bug_sponsorship_list_view_inc.php	2005-09-22
12:53:56.000000000 +0200
@@ -6,13 +6,15 @@
 	# See the files README and LICENSE for details
 
 	# --------------------------------------------------------
-	# $Id: bug_sponsorship_list_view_inc.php,v 1.10 2004/07/21 12:38:36 vboctor
Exp $
+	# $Id: bug_sponsorship_list_view_inc.php,v 1.10.8.1 2005/09/22 10:53:57
vboctor Exp $
 	# --------------------------------------------------------
 ?>
 <?php
 	# This include file prints out the list of users sponsoring the current
 	# bug.	$f_bug_id must be set to the bug id
 
+	$t_core_path = config_get( ''core_path'' );
+
 	require_once( $t_core_path . ''sponsorship_api.php'' );
 	require_once( $t_core_path . ''collapse_api.php'' );
 
diff -Nawur mantis-0.19.2/core/authentication_api.php
mantis-0.19.3/core/authentication_api.php
--- mantis-0.19.2/core/authentication_api.php	2004-08-14 17:26:20.000000000
+0200
+++ mantis-0.19.3/core/authentication_api.php	2005-09-25 15:27:24.000000000
+0200
@@ -135,7 +135,7 @@
 	# --------------------
 	# Allows scripts to login using a login name or ( login name + password )
 	function auth_attempt_script_login( $p_username, $p_password = null ) {
-		global $g_script_login_cookie;
+		global $g_script_login_cookie, $g_cache_current_user_id;
 
 		$t_user_id = user_get_id_by_name( $p_username );
 
@@ -161,6 +161,9 @@
 		# set the cookies
 		$g_script_login_cookie = $t_user[''cookie_string''];
 
+		# cache user id for future reference
+		$g_cache_current_user_id = $t_user_id;
+
 		return true;
 	}
 
@@ -341,19 +344,26 @@
 
 	# --------------------
 	# Return the current user login cookie string,
-	# if no user is logged in and anonymous login is enabled, returns cookie for
anonymous user
+	# note that the cookie cached by a script login superceeds the cookie provided
by
+	#  the browser. This shouldn''t normally matter, except that the
password verification uses
+	#  this routine to bypass the normal authentication, and can get confused when
a normal user
+	#  logs in, then runs the verify script. the act of fetching config variables
may get the wrong
+	#  userid.	# if no user is logged in and anonymous login is enabled, returns
cookie for anonymous user
 	# otherwise returns '''' (an empty string)
 	function auth_get_current_user_cookie() {
 		global $g_script_login_cookie;
 
+		# if logging in via a script, return that cookie
+		if ( $g_script_login_cookie !== null ) {
+			return $g_script_login_cookie;
+		}
+
+		# fetch user cookie
 		$t_cookie_name = config_get( ''string_cookie'' );
 		$t_cookie = gpc_get_cookie( $t_cookie_name, '''' );
 
 		# if cookie not found, and anonymous login enabled, use cookie of anonymous
account.
 		if ( is_blank( $t_cookie ) ) {
-			if ( $g_script_login_cookie !== null ) {
-				return $g_script_login_cookie;
-			} else {
 				if ( ON == config_get( ''allow_anonymous_login'' ) ) {
 					$query = sprintf(''SELECT id, cookie_string FROM %s WHERE username
= "%s"'',
 							config_get( ''mantis_user_table'' ), config_get(
''anonymous_account'' ) );
@@ -365,7 +375,6 @@
 					}
 				}
 			}
-		}
 
 		return $t_cookie;
 	}
diff -Nawur mantis-0.19.2/core/current_user_api.php
mantis-0.19.3/core/current_user_api.php
--- mantis-0.19.2/core/current_user_api.php	2004-11-19 13:29:00.000000000 +0100
+++ mantis-0.19.3/core/current_user_api.php	2005-10-11 14:06:32.000000000 +0200
@@ -78,7 +78,8 @@
 	# --------------------
 	# Return true if the currently user is the anonymous user
 	function current_user_is_anonymous() {
-		return current_user_get_field( ''username'' ) == config_get(
''anonymous_account'' );
+		$t_anonymous_account = config_get( ''anonymous_account'' );
+		return ( !is_blank( $t_anonymous_account ) && (
current_user_get_field( ''username'' ) == $t_anonymous_account )
);
 	}
 	# --------------------
 	# Trigger an ERROR if the current user account is protected
diff -Nawur mantis-0.19.2/core/email_api.php mantis-0.19.3/core/email_api.php
--- mantis-0.19.2/core/email_api.php	2004-10-05 23:10:14.000000000 +0200
+++ mantis-0.19.3/core/email_api.php	2005-09-25 15:50:28.000000000 +0200
@@ -768,20 +768,28 @@
 			$p_recipients = array( $p_recipients );
 		}
 
-		$result = array();
-		foreach ( $p_recipients as $t_recipient ) {
-
-			lang_push( user_pref_get_language( $t_recipient, bug_get_field( $p_bug_id,
''project_id'' ) ) );
+		$t_project_id = bug_get_field( $p_bug_id, ''project_id'' );
+		$t_sender_id = auth_get_current_user_id();
+		$t_sender = user_get_name( $t_sender_id );
 
 			$t_subject = email_build_subject( $p_bug_id );
-			$t_sender = current_user_get_field( ''username'' ) .
'' <'' .
-						current_user_get_field( ''email'' ) .
''>'' ;
 			$t_date = date( config_get( ''normal_date_format'' ) );
-			$t_header = "\n" . lang_get( ''on'' ) . "
$t_date, $t_sender " .
-						lang_get( ''sent_you_this_reminder_about'' ) .
":\n\n";
+
+		$result = array();
+		foreach ( $p_recipients as $t_recipient ) {
+			lang_push( user_pref_get_language( $t_recipient, $t_project_id ) );
 
 			$t_email = user_get_email( $t_recipient );
 			$result[] = user_get_name( $t_recipient );
+
+			if ( access_has_project_level( config_get(
''show_user_email_threshold'' ), $t_project_id, $t_recipient ) )
{
+				$t_sender_email .= '' <'' . current_user_get_field(
''email'' ) . ''>'' ;
+			} else {
+				$t_sender_email = '''';
+			}
+			$t_header = "\n" . lang_get( ''on'' ) . "
$t_date, $t_sender $t_sender_email " .
+						lang_get( ''sent_you_this_reminder_about'' ) . ":
\n\n";
+
 			$t_contents = $t_header .
 							string_get_bug_view_url_with_fqdn( $p_bug_id, $t_recipient ) .
 							"\n\n$p_message";
diff -Nawur mantis-0.19.2/core/filter_api.php mantis-0.19.3/core/filter_api.php
--- mantis-0.19.2/core/filter_api.php	2004-11-19 14:06:30.000000000 +0100
+++ mantis-0.19.3/core/filter_api.php	2005-09-25 15:39:50.000000000 +0200
@@ -753,7 +753,7 @@
 ?> 
 
 		<br />
-		<form method="post" name="filters"
action="<?php PRINT $t_action; ?>">
+		<form method="post" name="filters"
action="<?php PRINT htmlentities($t_action); ?>">
 		<input type="hidden" name="type" value="5"
/>
 		<?php
 			if ( $p_for_screen == false ) {
@@ -761,10 +761,10 @@
 				PRINT ''<input type="hidden" name="offset"
value="0" />'';
 			}
 		?>
-		<input type="hidden" name="sort" value="<?php
PRINT $t_sort ?>" />
-		<input type="hidden" name="dir" value="<?php
PRINT $t_dir ?>" />
-		<input type="hidden" name="page_number"
value="<?php PRINT $p_page_number ?>" />
-		<input type="hidden" name="view_type"
value="<?php PRINT $t_view_type ?>" />
+		<input type="hidden" name="sort" value="<?php
PRINT htmlentities($t_sort) ?>" />
+		<input type="hidden" name="dir" value="<?php
PRINT htmlentities($t_dir) ?>" />
+		<input type="hidden" name="page_number"
value="<?php PRINT htmlentities($p_page_number) ?>" />
+		<input type="hidden" name="view_type"
value="<?php PRINT htmlentities($t_view_type) ?>" />
 		<table class="width100" cellspacing="1">
 		
 		<?php
diff -Nawur mantis-0.19.2/lost_pwd.php mantis-0.19.3/lost_pwd.php
--- mantis-0.19.2/lost_pwd.php	2004-10-25 21:45:04.000000000 +0200
+++ mantis-0.19.3/lost_pwd.php	2005-09-22 13:11:34.000000000 +0200
@@ -27,9 +27,12 @@
 	$f_email = email_append_domain( $f_email );
 	email_ensure_valid( $f_email );
 
+	$c_username = db_prepare_string( $f_username );
+	$c_email = db_prepare_string( $f_email );
+
 	$t_user_table = config_get( ''mantis_user_table'' );
 
-	$query = ''SELECT id FROM '' . $t_user_table . ''
WHERE username = \'''' . $f_username . ''\'' and
email = \'''' . $f_email . ''\'''';
+	$query = ''SELECT id FROM '' . $t_user_table . ''
WHERE username = \'''' . $c_username . ''\'' and
email = \'''' . $c_email . ''\'''';
 	$result = db_query( $query );
 
 	if ( 0 == db_num_rows( $result ) ) {

Thijs Kinkhorst wrote:
> > Another security problem has been found in mantis. Insufficient
> > input sanitising of the t_core_path parameter may be exploited to
perform
> > arbitrary file inclusion. Please see
> > http://secunia.com/secunia_research/2005-46/advisory/ for details.
> 
> Hello Moritz,
> 
> Thank you for your report. I''ve prepared an NMU for all the recent
> security problems in Mantis which is now awaiting review by my sponsor.
I assume you''ve prepared packages of 0.19.3?
This would address the SQL injection issue and the other XSS in view_all_set
as well, which are both not yet in the BTS.

The latest issues have been assigned CVE-2005-333[6789], BTW.

Cheers,
        Moritz

On Mon, October 31, 2005 16:07, Moritz Muehlenhoff
wrote:
> The included patches look fine and correlate to what I extracted from the
>  interdiff. But where''s the fix for CVE-2005-3337 aka mantis bug
5959?
>
> The mantis bug is non-public, but according to the description
it''s
> a cross-site-scripting vulnerability in mantis/view_all_set.php
>
> They claim to have fixed it in 0.19.3 as well, but the interdiff
doesn''t
> show anything. So CVE-2005-3337 either doesn''t apply to 0.19.x and
the
> changelog was a mistake or the fix is missing in 0.19.3 or the fix is very
> non-obvious. But it should be checked back with upstream.
According to the changelog, this was already fixed in Debian package
0.19.2-3 uploaded in September. Since this was uploaded by the security
team, can we assume that this was double-checked to be fixed...?


Thijs


Thijs

On Mon, 2005-10-31 at 17:22 +0100, Moritz Muehlenhoff
wrote:
> It''s hard to tell, whether it''s the same issue as #5959
is non-public, but at
> least there are two different CVE mappings. (CVE-2005-2557 and
CVE-2005-3337).
> But it might very well be that the CVE description is wrong, as all these
mantis
> issues are really confusing.
> So #5959 probably refers to this hunk from the interdiff from the latest
mantis
> DSA. (I''m not 100% sure as #6002 is non-public as well and I
don''t know the
> mantis code in detail):
> 
> --- mantis-0.19.2.orig/bug_actiongroup_page.php
> +++ mantis-0.19.2/bug_actiongroup_page.php
> @@ -114,7 +114,7 @@
>  foreach( $f_bug_arr as $t_bug_id ) {
>         $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
>         $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\">
<td>%s</td> <td>%s</td> </tr>\n"
> -               , get_status_color( bug_get_field( $t_bug_id,
''status'' ) ), string_get_bug_view_link( $t_bug_id ),
bug_get_field( $t_bug_id, ''summary'' )
> +               , get_status_color( bug_get_field( $t_bug_id,
''status'' ) ), string_get_bug_view_link( $t_bug_id ),
htmlentities(bug_get_field( $t_bug_id, ''summary'' ))
>      );
>         echo ''<input type="hidden"
name="bug_arr[]" value="'' . $t_bug_id . ''"
/>'' . "\n";
>  }
> 
> This would mean that they didn''t pull over this security fix into
0.19.3 and in fact it
> is unfixed in sid''s 0.19.3 package as well.
This actually _is_ fixed in sid, but upstream fixed it differently from
the previous Debian fix: instead of htmlentities() they used
string_attribute() there which essentially does a htmlspecialchars().
> The other XSS issues from the DSA are fixed in the sid version.
> This hunk from the mantis DSA (#5956 and again non-public, CVE-2005-2556)
is also unfixed
> in sid (or has an alternate fix been applied?)
> 
> diff -u mantis-0.19.2/core/database_api.php
mantis-0.19.2/core/database_api.php
> --- mantis-0.19.2/core/database_api.php
> +++ mantis-0.19.2/core/database_api.php
> @@ -6,9 +6,16 @@
> 
> +       #
> +       # Patch for #0005956: Database system scanner via variable
poisoning
> +       #
> +
> +       if (isset($_REQUEST["g_db_type"]))
> +               die("");
> +
>         ### Database ###
I don''t know why you think this patch is not applied in sid, since this
code is exactly in the sid version, including that comment with the bug
number.

Concluding, I think current sid covers all of the previous DSA.


regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051031/e573485d/attachment.pgp

Thijs Kinkhorst wrote:
> On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff wrote:
> > All affect Sarge. 
> 
> I''ve prepared updated packages for sarge. My updated package for
sid is
> still pending with my sponsor Luk Claes. The updated packages for sarge
> are available here:
> http://www.a-eskwadraat.nl/~kink/mantis_sec/
> 
> They are not signed since I''m not a DD yet. 
> Please let me know if you have comments or questions.
Sorry for the delay.  I''ve finally got to it and will release an
advisory
soon.  Thijs and Moritz, great work!

Package        : mantis
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2005-3091 CVE-2005-3335 CVE-2005-3336 CVE-2005-3338
                 CVE-2005-3339
CERT advisory  :
BugTraq ID     :
Debian Bugs    : 330682 335938

Several security related problems have been discovered in Mantis, a
web-based bug tracking system.  The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2005-3091

    A cross-site scripting vulnerability allows attackers to inject
    arbitrary web script or HTML.

CVE-2005-3335

    A file inclusion vulnerability allows remote attackers to execute
    arbitrary PHP code and include arbitrary local files.

CVE-2005-3336

    An SQL injection vulnerability allows remote attackers to execute
    arbitrary SQL commands.

CVE-2005-3338

    Mantis can be tricked into displaying the otherwise hidden real
    mail address of its users.

Regards,

	Joey

-- 
Life is a lot easier when you have someone to share it with.  -- Sean Perry

Please always Cc to me when replying to me on the lists.

Thijs Kinkhorst wrote:
> On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
> > The included patches look fine and correlate to what I extracted from
the
> >  interdiff. But where''s the fix for CVE-2005-3337 aka mantis
bug 5959?
> >
> > The mantis bug is non-public, but according to the description
it''s
> > a cross-site-scripting vulnerability in mantis/view_all_set.php
> >
> > They claim to have fixed it in 0.19.3 as well, but the interdiff
doesn''t
> > show anything. So CVE-2005-3337 either doesn''t apply to
0.19.x and the
> > changelog was a mistake or the fix is missing in 0.19.3 or the fix is
very
> > non-obvious. But it should be checked back with upstream.
> 
> According to the changelog, this was already fixed in Debian package
> 0.19.2-3 uploaded in September. Since this was uploaded by the security
> team, can we assume that this was double-checked to be fixed...?
It''s hard to tell, whether it''s the same issue as #5959 is
non-public, but at
least there are two different CVE mappings. (CVE-2005-2557 and CVE-2005-3337).
But it might very well be that the CVE description is wrong, as all these mantis
issues are really confusing.

So #5959 probably refers to this hunk from the interdiff from the latest mantis
DSA. (I''m not 100% sure as #6002 is non-public as well and I
don''t know the
mantis code in detail):

--- mantis-0.19.2.orig/bug_actiongroup_page.php
+++ mantis-0.19.2/bug_actiongroup_page.php
@@ -114,7 +114,7 @@
 foreach( $f_bug_arr as $t_bug_id ) {
        $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
        $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\">
<td>%s</td> <td>%s</td> </tr>\n"
-               , get_status_color( bug_get_field( $t_bug_id,
''status'' ) ), string_get_bug_view_link( $t_bug_id ),
bug_get_field( $t_bug_id, ''summary'' )
+               , get_status_color( bug_get_field( $t_bug_id,
''status'' ) ), string_get_bug_view_link( $t_bug_id ),
htmlentities(bug_get_field( $t_bug_id, ''summary'' ))
     );
        echo ''<input type="hidden"
name="bug_arr[]" value="'' . $t_bug_id . ''"
/>'' . "\n";
 }

This would mean that they didn''t pull over this security fix into
0.19.3 and in fact it
is unfixed in sid''s 0.19.3 package as well.

The other XSS issues from the DSA are fixed in the sid version.

This hunk from the mantis DSA (#5956 and again non-public, CVE-2005-2556) is
also unfixed
in sid (or has an alternate fix been applied?)

diff -u mantis-0.19.2/core/database_api.php mantis-0.19.2/core/database_api.php
--- mantis-0.19.2/core/database_api.php
+++ mantis-0.19.2/core/database_api.php
@@ -6,9 +6,16 @@

+       #
+       # Patch for #0005956: Database system scanner via variable poisoning
+       #
+
+       if (isset($_REQUEST["g_db_type"]))
+               die("");
+
        ### Database ###

Cheers,
        Moritz

Hello All,

On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff
wrote:
> All affect Sarge. 
I''ve prepared updated packages for sarge. My updated package for sid is
still pending with my sponsor Luk Claes. The updated packages for sarge
are available here:
http://www.a-eskwadraat.nl/~kink/mantis_sec/

They are not signed since I''m not a DD yet. 
Please let me know if you have comments or questions.


Regarding woody:
> Woody seems unaffected, but 3337 should be double-checked in a real-life
> environment.
>  which is not present in Woody, but might have an equivalent in 0.17. I
couldn''t
>  find it with grep, but it should again be tested in a production mantis
environment,
>  as the bug contains a demo page with the XSS.
I''ve tried, but I can''t even get the woody version to run on
woody...
Any login or account-creation step yields errors. Hence, I can''t test
them, but agree with Moritz assertions that woody is most probably not
vulnerable.


regards
Thijs Kinkhorst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051029/a5797a8f/attachment.pgp

Thijs Kinkhorst wrote:
> > All affect Sarge. 
> 
> I''ve prepared updated packages for sarge. My updated package for
sid is
> still pending with my sponsor Luk Claes. The updated packages for sarge
> are available here:
> http://www.a-eskwadraat.nl/~kink/mantis_sec/
> 
> They are not signed since I''m not a DD yet. 
> Please let me know if you have comments or questions.
The included patches look fine and correlate to what I extracted from the
interdiff. But where''s the fix for CVE-2005-3337 aka mantis bug 5959?

The mantis bug is non-public, but according to the description it''s
a cross-site-scripting vulnerability in mantis/view_all_set.php

They claim to have fixed it in 0.19.3 as well, but the interdiff
doesn''t
show anything. So CVE-2005-3337 either doesn''t apply to 0.19.x and the
changelog was a mistake or the fix is missing in 0.19.3 or the fix
is very non-obvious. But it should be checked back with upstream.

Cheers,
        Moritz