oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: MantisBT SOAP API can be used to disclose confidential settings

From: Damien Regad <dregad () mantisbt org>
Date: Sat, 2 Jan 2016 23:00:47 +0100
Greetings,

Please assign a CVE ID for the following issue.


Description:
Until now, MantisBT sensitive config options were blacklisted to prevent their access via SOAP API (see config_is_private() function).
When a new config is added or an existing one is renamed, the black list must be updated accordingly. If this is not or incorrectly done, the config becomes available via SOAP API.
This was the case with the MantisBT master cryptographic salt (crypto_master_salt): it was incorrectly spelt.
To fix the problem as well as avoid future occurences, we are switching to a whitelist approach, i.e. listing all configs that *can* be accessed via SOAP.
Any MantisBT installation with SOAP API enabled should be patched, and immediately generate a new salt. 


Affected versions:
>= 1.3.0-beta.1

Fixed in versions:
1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need another release candidate before that. 

Patch:
See Github [1]

Credits:
The issue was discovered by Paul Richards [2] and fixed by Roland Becker
(MantisBT Developer).

References:
Further details available in our issue tracker [3]


Best regards,
D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/7927c275
[2] https://sourceforge.net/p/mantisbt/mailman/message/32948048/
[3] https://mantisbt.org/bugs/view.php?id=20277
Previous By Date Next
Previous By Thread Next

Current thread: