Multiple vulnerabilities have been identified in Mantis, which could be exploited by attackers or malicious users to bypass security restrictions, manipulate certain data, and execute arbitrary commands or scripting code.

The first issue is caused by an input validation error in the "return_dynamic_filters.php" script when processing the "filter_target" parameter, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected site.

The second vulnerability is caused by errors in various administrative scripts that do not validate user-supplied data and HTTP requests, which could be exploited by to conduct cross-site request forgery attacks and perform certain actions e.g. add a new administrator by tricking an authenticated admin into following a specially crafted link.

The third issue is caused by an input validation error in the "adm_config_set.php" script that does not validate the "value" parameter before being passed to an "eval()" call, which could be exploited by malicious administrators to execute arbitrary PHP code.

Affected Products

Mantis version 1.1.1 and prior

Solution

Upgrade to Mantis version 1.2.0a1 :
http://sourceforge.net/projects/mantisbt/

References

http://www.vupen.com/english/advisories/2008/1598
http://www.ush.it/2008/05/20/mantis-bug-tracker-111-multiple-vulnerabilities/

Credits

Vulnerabilities reported by Antonio s4tan Parata and Francesco ascii Ongaro.

Changelog

2008-05-21 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.