Currently in READ-ONLY mode for reporters due to spam attacks!

Anonymous Login
2016-05-28 07:49 EDT

View Issue Details Jump to Notes ] Wiki ]
IDProjectCategoryView StatusLast Update
0008995mantisbtsecuritypublic2008-05-08 21:56
Assigned Tothraxisp 
PrioritynormalSeverityminorReproducibilityhave not tried
Product Versiongit trunk 
Target Version1.2.0a1Fixed in Version1.2.0a1 
Summary0008995: CSRF Vulnerabilities in user_create
DescriptionMantis Bug Tracker 1.1.1 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Mantis
Systems Affected Mantis 1.1.1 and possibly earlier versions
Impact (CVSSv2) (, vector: )
Vendor [^]
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
                 Francesco "ascii" Ongaro (ascii AT ush DOT it)
B) CSRF Vulnerabilities

There is a Cross Site Requst Forgery vulnerability in the software. If a logged in user with administrator privileges clicks on the following url: [^]

a new user 'foo' with administrator privileges is created. The password of the new user is sent to

TagsNo tags attached.
Attached Files

child of 0008975closedjreese CSRF Vulnerabilities in user_create 



thraxisp (reporter)

submitted to SVN r5132

Action pages are now qualified by checking for a POST command.

-Issue History
Date Modified Username Field Change
2008-03-22 22:01 thraxisp New Issue
2008-03-22 22:01 thraxisp Status new => assigned
2008-03-22 22:01 thraxisp Assigned To => thraxisp
2008-03-22 22:01 thraxisp Issue generated from: 0008975
2008-03-22 22:01 thraxisp Relationship added child of 0008975
2008-03-22 22:09 thraxisp Status assigned => resolved
2008-03-22 22:09 thraxisp Fixed in Version => 1.2.0
2008-03-22 22:09 thraxisp Resolution open => fixed
2008-03-22 22:09 thraxisp Note Added: 0017439
2008-04-19 04:10 vboctor Status resolved => closed
2008-05-08 21:56 thraxisp View Status private => public
+Issue History