oss-sec mailing list archives
RE: Re: CVE request: XSS in MantisBT
From: "P Richards" <paul () mantisforge org>
Date: Fri, 13 Feb 2015 22:41:47 -0000
According to github https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40 - the fix referenced for CVE-2014-8986 has never been tagged to a 1.2.x release. I've not yet done an announcement for this fix as it's not gone into a release. It's listed as the fix @ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8986, however, that changeset has never been tagged against 1.2. Paul -----Original Message----- From: Damien Regad [mailto:dregad () mantisbt org] Sent: 13 February 2015 21:53 To: oss-security () lists openwall com Subject: [oss-security] Re: CVE request: XSS in MantisBT On 2015-02-10 01:41, P Richards wrote:
This issue looks fairly like the issue previously identified in > adm_config_report.php in May 2014, as an XSS. See >
https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40
I'm still waiting for the CVE to be provided for > cabacdc291c251bfde0dc2a2c945c02cef41bf40 from May, or could you let > me know what CVE was assigned for the initial fix?
A 5 seconds search through the MantisBT changesets tells me that it was CVE-2014-8986. See https://www.mantisbt.org/bugs/view.php?id=17889. Which, by the way, would have been even easier for you to find if you had actually bothered to follow the process and report the security issue in our tracker yourself instead of emailing me that PDF file of yours and making me do the legwork.
And in fact, it looking at the diff, my initial thought was you were > trying to take a vulnerability discovered by myself and pass it off > as something new crediting someone else and yourself for the fix - > although it may be this was unintentional as it appears you > re-introduced the same bug a few months after the initial fix.
You know, this really sounds like paranoia... You know me, and should know better. I have never taken credit for somebody else's work. Credit was given, where it was due: http://thread.gmane.org/gmane.comp.security.oss.general/14706/focus=14849
[...] It seems you then modified the fix for this vulnerability in August > to re-introduce the vulnerability [...] > > And now are requesting a CVE for the new issue crediting a different > researchcompany for the 'new vulnerability', with no mention of the > original discovery for this issue in May 2014. @Mitre: How is this handled? Do you assign two CVE's in this case?
As far as I can tell, while related, these are indeed 2 distinct issues even though they are evidently related. Quite frankly, I just can't be bothered to analyze whether my follow-up fix for CVE-2014-8986 reintroduced the issue or not. Even if I did, the fact remains that 1.2.19 was released as it was, so we DO have two distinct issues here in any case. D
Current thread:
- CVE request: XSS in MantisBT Damien Regad (Feb 09)
- RE: CVE request: XSS in MantisBT P Richards (Feb 09)
- Re: CVE request: XSS in MantisBT Damien Regad (Feb 13)
- RE: Re: CVE request: XSS in MantisBT P Richards (Feb 13)
- Re: CVE request: XSS in MantisBT Damien Regad (Feb 16)
- RE: Re: CVE request: XSS in MantisBT P Richards (Feb 16)
- Re: CVE request: XSS in MantisBT Damien Regad (Feb 16)
- Re: CVE request: XSS in MantisBT Damien Regad (Feb 13)
- RE: CVE request: XSS in MantisBT P Richards (Feb 09)
- RE: CVE request: XSS in MantisBT P Richards (Feb 21)
- Re: CVE request: XSS in MantisBT cve-assign (Feb 21)