oss-sec mailing list archives
CVE Request: MantisBT SOAP API can be used to disclose confidential settings
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 2 Jan 2016 23:00:47 +0100
Greetings, Please assign a CVE ID for the following issue. Description:Until now, MantisBT sensitive config options were blacklisted to prevent their access via SOAP API (see config_is_private() function).
When a new config is added or an existing one is renamed, the black list must be updated accordingly. If this is not or incorrectly done, the config becomes available via SOAP API.
This was the case with the MantisBT master cryptographic salt (crypto_master_salt): it was incorrectly spelt.
To fix the problem as well as avoid future occurences, we are switching to a whitelist approach, i.e. listing all configs that *can* be accessed via SOAP.
Any MantisBT installation with SOAP API enabled should be patched, and immediately generate a new salt.
Affected versions: >= 1.3.0-beta.1 Fixed in versions:1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need another release candidate before that.
Patch: See Github [1] Credits: The issue was discovered by Paul Richards [2] and fixed by Roland Becker (MantisBT Developer). References: Further details available in our issue tracker [3] Best regards, D. Regad MantisBT Developer http://www.mantisbt.org [1] http://github.com/mantisbt/mantisbt/commit/7927c275 [2] https://sourceforge.net/p/mantisbt/mailman/message/32948048/ [3] https://mantisbt.org/bugs/view.php?id=20277
Current thread:
- CVE Request: MantisBT SOAP API can be used to disclose confidential settings Damien Regad (Jan 02)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings cve-assign (Jan 03)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings Damien Regad (Jan 04)
- Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings cve-assign (Jan 03)