View Issue Details

IDProjectCategoryView StatusLast Update
0009533mantisbtsecuritypublic2008-10-18 18:32
Reporterjreese 
Assigned Tojreese 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.2 
Target Version1.1.3Fixed in Version1.1.3 
Summary0009533: Mantis should use secure sessions on https connections
Description

Recently an issue with session cookies got some public attention:
http://www.heise.de/security/Ausspioniert-trotz-Verschluesselung--/news/meldung/114141

(in german)

The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted.

Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2.

As I'd consider this a security issue, I've assigned CVE-2008-3102 to it.

TagsNo tags attached.

Relationships

related to 0009524 closedgrangeway Mantis should use secure sessions on https connections 

Activities

jreese

jreese

2008-08-13 09:00

reporter   ~0019143

Fix committed to SVN 1.1.x, r5511.

Issue History

Date Modified Username Field Change
2008-08-13 08:57 jreese New Issue
2008-08-13 08:57 jreese Issue generated from: 0009524
2008-08-13 08:57 jreese Relationship added related to 0009524
2008-08-13 09:00 jreese Note Added: 0019143
2008-08-13 09:00 jreese Status new => resolved
2008-08-13 09:00 jreese Fixed in Version => 1.1.3
2008-08-13 09:00 jreese Resolution open => fixed
2008-08-13 09:00 jreese Assigned To => jreese
2008-10-09 13:30 giallu View Status private => public
2008-10-18 18:32 giallu Status resolved => closed