Bug#676783:

2012-06-09 Thread David Hicks
I couldn't test SOAP API)... sorry. Please advise if I can be of further assistance. With thanks, David Hicks MantisBT Developer #mantisbt irc.freenode.net http://www.mantisbt.org/bugs/ [1] http://www.openwall.com/lists/oss-security/2012/06/09/1 [2] http://www.mantisbt.org/bugs/view.php?id

Bug#640297: XSS vulnerability dues to usage of PHP_SELF : Not fixed

2011-09-05 Thread David Hicks
Hi Sils, Thank you for debugging this issue further and discovering the additional problem with form_action_self(). On Mon, 2011-09-05 at 15:14 +0200, sils wrote: > The XSS injection is continued producing, because of the function > "form_action_self". This function is used to generate a form act

Bug#640297: MantisBT <1.2.8 multiple vulnerabilities (LFI/XSS/remote arbitrary code execution)

2011-09-03 Thread David Hicks
Package: mantis Version: 1.2.6-1 Severity: critical Tags: security patch upstream fixed-upstream Hi Sils and others, Thank you for the quick response to bug #638321 (search.php multiple XSS vulnerabilities in http://www.openwall.com/lists/oss-security/2011/09/04/1 [2] http://www.mantisbt.org/bugs

Bug#638321: MantisBT <1.2.7 search.php multiple XSS vulnerabilities

2011-08-18 Thread David Hicks
Package: mantis Version: 1.2.4-3 Severity: critical Tags: security patch upstream fixed-upstream Original vulnerability report by Net.Edit0r (net.edi...@att.net) from BlACK Hat Group [http://black-hg.org] is available at: http://packetstormsecurity.org/files/104149 MantisBT bug report for full de

Bug#607159: CVE numbers

2010-12-16 Thread David Hicks
From oss-sec mailing list: CVE-2010-4348: Cross site scripting CVE-2010-4349: Path disclosure CVE-2010-4350: Local file inclusion signature.asc Description: This is a digitally signed message part

Bug#607159: MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)

2010-12-15 Thread David Hicks
Hi Olivier, Thank you for the response. On Wed, 2010-12-15 at 09:13 +0100, Olivier Berger wrote: > AFAICT, Debian installations may not be vulnerable as the admin/ dir is > protected in principle by the Apache configuration of the package : This is good/recommended practice so this bug will pro

Bug#607159: MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)

2010-12-14 Thread David Hicks
Package: mantis Version: 1.1.6+dfsg-2lenny4 Severity: critical Tags: security patch upstream fixed-upstream The MantisBT project was notified by Gjoko Krstic of Zero Science Lab (gj...@zeroscience.mk) of multiple vulnerabilities affecting MantisBT <1.2.4. The two following advisories have been re

Bug#595248: Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5

2010-09-02 Thread David Hicks
Package: nusoap Version: 0.9.5-1 Owner: olivier.ber...@it-sudparis.eu Tags: security Bogdan Calin of Acunetix discovered some cross site scripting vulnerabilities in NuSOAP 0.9.5 relating to lack of escaping of PHP_SELF. This is an issue because of potentially malicious URLs being constructed alon