MantisBT 1.2.8 Released

Hi all,

MantisBT 1.2.8 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are advised to upgrade to this release.

Paulino Calderon from Websec, High-Tech Bridge Security Research Lab and Paul Richards discovered 3 vulnerabilities:
– 1x local file inclusion (LFI)/directory traversal
– 2x cross site scriptin (XSS)

These vulnerabilities could have very severe consequences for users of MantisBT, particularly as a result of the local file inclusion vulnerability. If an attacker can upload their own PHP script to the server as an attachment, they may be able to execute this script using the LFI vulnerability.

Refer to issues #13191 and #13281 for detailed information:

http://www.mantisbt.org/bugs/view.php?id=13191
http://www.mantisbt.org/bugs/view.php?id=13281

A full changelog for 1.2.8 can be found at:

http://www.mantisbt.org/bugs/changelog_page.php?version_id=139

The release can be downloaded at:

http://www.mantisbt.org/download.php

Cheers

This entry was posted in MantisBT and tagged , . Bookmark the permalink.

3 Responses to MantisBT 1.2.8 Released

  1. Pingback: MantisBT 1.2.8がリリースされました | MantisBT情報サイト

  2. Adminitrack says:

    Are the developers working on a way to filter out the vulnerabilities?

  3. SonyHx929 says:

    I just heard of this yesterday. appreciate your work

    Charlie

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>