oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: CAPTCHA bypass in MantisBT

From: Damien Regad <dregad () mantisbt org>
Date: Wed, 26 Nov 2014 17:58:31 +0100
Description:
There is a weakness on the CAPTCHA system that is used upon registration of a new user that could allow a malicious individual to perform a denial of service attack by indiscriminately creating new accounts, thus generating a high load on the server. 


Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was discovered by Alejo Popovici and fixed by Victor Boctor (MantisBT Developer) 

References:
Further details available in our issue tracker [2]


D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/7bb78e45
[2] https://www.mantisbt.org/bugs/view.php?id=17811
Previous By Date Next
Previous By Thread Next

Current thread: