Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAA2mj=d+qOe7x7MTM=Bs30gowWRcggx3nU1+73DH7i_-sVK4Kg@mail.gmail.com>
Date: Fri, 5 Dec 2014 09:30:13 +0000
From: Paul Richards <paul@...tisforge.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request: Multiple XSS vulnerabilities in MantisBT

Hello Mitre,

I believe your current analysis is incorrect, and that Damien's attribution
is incorrect.

Issue 17816 regarding copy fields -
http://www.mantisbt.org/bugs/view.php?id=17876 is a duplicate of 17362

The report in issue 17362 referred to a security issue in "5. Reflected XSS
in admin panel: PoC:
[MantisBT]/admin/test_langs.php?dest_id=<script>alert(1)</script>"

At that point my response was "In terms of number 5 - are you sure you
meant test_langs.php. In 1.3-master, there's an issue within copy_field.php
of doing something similar of:

admin/copy_field.php?source_id=1&dest_id="></a><script>alert()</script><b
style="" as I was already aware of an issue within copy_field.php

I should be able to supply a report confirming this later on.

The security researcher then came back and stated that he had indeed made
an error in his report and he did not mean test_langs.php

In this case, the line:

"Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part
of Offensive Security's bug bounty program [7].
It was fixed by Paul Richards."

is in correct as the issue was identified by myself initially, then
subsequently identified (incorrectly) in the initial bug report.

As I need to be able to do a security bulletin regarding my find for the
XSS within copy_field.php, can you please tell me what CVE identifier to
use for this and  ensure proper attribution?

Thanks in Advance
Paul

On Thu, Dec 4, 2014 at 6:20 PM, <cve-assign@...re.org> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>  1. XSS in extended project browser
>>
>> [1] http://github.com/mantisbt/mantisbt/commit/511564cc
>> [2] http://www.mantisbt.org/bugs/view.php?id=17890
>>
>
> Use CVE-2014-9269.
>
>  2. XSS in projax_api.php
>>
>> [3] http://github.com/mantisbt/mantisbt/commit/0bff06ec
>> [4] http://www.mantisbt.org/bugs/view.php?id=17583
>>
>
> Use CVE-2014-9270.
>
>  3. XSS in admin panel / copy_field.php
>>
>> [5] http://github.com/mantisbt/mantisbt/commit/e5fc835a
>> [6] http://www.mantisbt.org/bugs/view.php?id=17876
>>
>
> Use CVE-2014-9271.
>
> Issues 3 and 5 are MERGED into the same CVE ID because they are the
> same type of issue, affecting the same versions, disclosed at the same
> time, and found by the same person.
>
>  4. XSS in string_insert_hrefs()
>>
>> [8] http://github.com/mantisbt/mantisbt/commit/05378e00
>> [9] http://www.mantisbt.org/bugs/view.php?id=17297
>>
>
> Use CVE-2014-9272.
>
>
>  5. XSS in file uploads
>>
>> [10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f
>> [11] http://www.mantisbt.org/bugs/view.php?id=17874
>>
>
> Use CVE-2014-9271.
>
> Issues 3 and 5 are MERGED into the same CVE ID because they are the
> same type of issue, affecting the same versions, disclosed at the same
> time, and found by the same person.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
>
> iQEVAwUBVICkqKllVAevmvmsAQKuBQgAxVb3LZJ82oRHEpIKAGioXOw6bm1umxAh
> CRzFnVZUrUpZFB3vIAjAcatJXXLjZmk0NSHqWeguZ08q95lS9ockXcyYaoS5UKWG
> dyqPpZVCbhsmbSc8jf88IdT3EUAScdpof8dpCnYLSzRKdmq15GIYmYlnapms3+sK
> 6EhVvxwrv85Giu2b2KLAB/6cjV75ATDtBu6IFC7GJed+2kc7ef8eTmJoiGQ+mdtB
> 73ZGoykBlyBN5a6PVcfqPMtn58x6I8jUn4Oug382aKttVB5udp9ciRQSD0Yqdhv6
> F9bUrVPMStuTdnk64F/JDYI9x001jjCah2DiW2IMBOodjvtUr+qgPw==
> =wjH5
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.