View Issue Details

IDProjectCategoryView StatusLast Update
0019273mantisbtsecuritypublic2015-03-15 19:58
ReporterdregadAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-beta.2Fixed in Version1.3.0-beta.2 
Summary0019273: CVE-2014-9572: Improper Access Control in install.php
Description

This is a clone of 0017939 to track the vulnerability in 1.3.x branch

Additional Information

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243 [^]

Original report in 0017937

TagsNo tags attached.

Relationships

duplicate of 0017939 closeddregad CVE-2014-9572: Improper Access Control in install.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 5e5e5750

2014-12-28 06:29:51

dregad

Details Diff
Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

Fixes 0017939
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2015-01-27 04:48 dregad New Issue
2015-01-27 04:48 dregad Status new => assigned
2015-01-27 04:48 dregad Assigned To => dregad
2015-01-27 04:48 dregad Issue generated from: 0017939
2015-01-27 04:48 dregad Relationship added duplicate of 0017939
2015-01-27 04:52 dregad Status assigned => resolved
2015-01-27 04:52 dregad Fixed in Version => 1.3.0-beta.2
2015-01-27 04:52 dregad Resolution open => fixed
2015-01-27 04:57 dregad Changeset attached => MantisBT master 5e5e5750
2015-03-15 19:58 dregad Status resolved => closed