Re: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)

[Henri Salo <henri () nerv fi>]

On Thu, Sep 08, 2011 at 02:26:34PM +0200, Nico Golde wrote:
> Hi,
> * David Hicks <d () hx id au> [2011-09-04 16:11]:
> > On Sun, 2011-09-04 at 15:18 +1000, David Hicks wrote:
> > > Request #2: LFI and XSS via bug_actiongroup_ext_page.php
> >
> > I don't think my earlier message conveyed the severity of this bug well
> > enough.
> >
> > MantisBT allows users to upload attachments to bug reports. These
> > attachments are commonly stored on the disk in an 'attachments'
> > directory that should be stored outside the web root (but are still
> > accessible to MantisBT for retrieval).
> [...]
> In case this slipped through the cracks... Can someone assign ids to these 
> issues?
>
> Kind regards
> Nico
> -- 
> Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA
> For security reasons, all text in this mail is double-rot13 encrypted.

Related information about this issue:

http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

Best regards,
Henri Salo