MantisBT

View Issue Details Jump to Notes ] Wiki ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0009524mantisbtsecuritypublic2008-08-12 20:122009-01-15 11:25
Reporterhanno 
Assigned Tograngeway 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.0a2 
Target Version1.2.0a3Fixed in Version1.2.0a3 
Summary0009524: Mantis should use secure sessions on https connections
DescriptionRecently an issue with session cookies got some public attention:
http://www.heise.de/security/Ausspioniert-trotz-Verschluesselung--/news/meldung/114141 [^]

(in german)

The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted.

Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2.

As I'd consider this a security issue, I've assigned CVE-2008-3102 to it.
TagsNo tags attached.
Attached Filesdiff file icon mantis-securesession-1.1.diff [^] (378 bytes) 2008-08-12 20:12 [Show Content]
diff file icon mantis-securesession-1.2.diff [^] (360 bytes) 2008-08-12 20:12 [Show Content]

- Relationships
related to 0009533closedjreese Mantis should use secure sessions on https connections 

-  Notes
User avatar (0019140)
grangeway (developer)
2008-08-13 05:22

@@ -56,6 +56,9 @@
         }
 
         session_cache_limiter( 'private_no_expire' );
+ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+ session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true );
+ }
         session_start();
         $this->id = session_id();
     }

Commited to TRUNK for inclusion in next 1.2 alpha release.

- Issue History
Date Modified Username Field Change
2008-08-12 20:12 hanno New Issue
2008-08-12 20:12 hanno File Added: mantis-securesession-1.1.diff
2008-08-12 20:12 hanno File Added: mantis-securesession-1.2.diff
2008-08-13 05:22 grangeway Note Added: 0019140
2008-08-13 08:57 jreese Issue cloned: 0009533
2008-08-13 08:57 jreese Relationship added related to 0009533
2008-08-13 08:58 jreese Assigned To => grangeway
2008-08-13 08:58 jreese Status new => resolved
2008-08-13 08:58 jreese Resolution open => fixed
2008-08-13 08:58 jreese Fixed in Version => 1.2.2
2008-08-13 08:58 jreese Target Version => 1.2.2
2008-10-09 13:30 giallu View Status private => public
2008-12-30 22:00 jreese Fixed in Version 1.2.2 => 1.2.0a3
2008-12-30 22:06 jreese Target Version 1.2.2 => 1.2.0a3
2009-01-15 11:25 jreese Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0831 seconds.
memory usage: 3,022 KB
Powered by Mantis Bugtracker