SB2012062903 - Multiple vulnerabilities in mantisbt.sourceforge.net MantisBT

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-1121)

The vulnerability allows a remote #AU# to manipulate or delete data.

MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-1122)

The vulnerability allows a remote #AU# to manipulate or delete data.

bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project when moving a bug report, which allows remote authenticated users with the report_bug_threshold and move_bug_threshold privileges for a project to bypass intended access restrictions and move bug reports to a different project.

3) Improper Authentication (CVE-ID: CVE-2012-1123)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass authentication via a null password.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-1118)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the private_bug_view_threshold is set to an array, which allows remote attackers to bypass intended restrictions and perform certain operations on private bug reports.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-1119)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection.

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-1120)

The vulnerability allows a remote #AU# to manipulate or delete data.

The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permissions, which allows remote authenticated users with read and write SOAP API privileges to delete arbitrary bug reports and bug notes.

Remediation

Install update from vendor's website.

References

• http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092926.html
• http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093063.html
• http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093064.html
• http://secunia.com/advisories/48258
• http://secunia.com/advisories/51199
• http://security.gentoo.org/glsa/glsa-201211-01.xml
• http://www.mantisbt.org/bugs/changelog_page.php?version_id=140
• http://www.mantisbt.org/bugs/view.php?id=13561
• http://www.openwall.com/lists/oss-security/2012/03/06/9
• http://www.securityfocus.com/bid/52313
• https://github.com/mantisbt/mantisbt/commit/9443258724e84cb388aa1865b775beaecd80596d
• http://secunia.com/advisories/49572
• http://www.debian.org/security/2012/dsa-2500
• http://www.mantisbt.org/bugs/view.php?id=13748
• https://github.com/mantisbt/mantisbt/commit/0da3f7ace233208eb3c8d628cc2fd6e56d83839f
• http://www.mantisbt.org/bugs/view.php?id=13901
• https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f
• http://www.mantisbt.org/bugs/view.php?id=10124
• https://github.com/mantisbt/mantisbt/commit/eb803ed02105fc919cf5f789e939f2b824162927
• http://www.mantisbt.org/bugs/view.php?id=13816
• https://github.com/mantisbt/mantisbt/commit/cf5df427f17cf9204645f83e000665780eb9afe6
• https://github.com/mantisbt/mantisbt/commit/dea7e315f3fc96dfa995e56e8810845fc07a47aa
• http://www.mantisbt.org/bugs/view.php?id=13656
• https://github.com/mantisbt/mantisbt/commit/df7782a65e96aa1c9639a7625a658102134c7fe0