Commits on Aug 18, 2011

1. Fix #13245: XSS issues with search.php parameters …

   Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group
   [http://black-hg.org] posted a vulnerability report for an XSS issue in
   search.php for MantisBT 1.2.6.
   
   The full report is available at
   http://packetstormsecurity.org/files/104149
   
   filter_api.php is the culprit for this vulnerability as it passes user
   supplied search parameters back into output without first escaping the
   values.
   
   It should be noted that numerous other XSS vulnerabilities (all related)
   have been fixed with this patch. In other words, it is not just the
   project_id parameter to search.php that was affected - it was numerous
   other parameters/fields as well.
   
   The second SQL injection vulnerability identified by Net.Edit0r is
   invalid because the only time we ever make reference to "mbadmin" in the
   source code is:
   
   core.php:
   if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) )
   
   This usage is safe because nothing is ever done with $_GET['mbadmin'].
   It may be the case that the user's customised version of
   mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin']
   to the screen. The default/sample mantis_offline.php has been checked
   and does not print any dynamically created strings/user supplied values.

   

   davidhicks committed Aug 18, 2011
   Copy the full SHA

   317f3db View commit details

   Browse the repository at this point in the history

2. Bump version to 1.2.7 and update release notes

   

   davidhicks committed Aug 18, 2011
   2

   Copy the full SHA

   c046dc6 View commit details

   Browse the repository at this point in the history