MantisBT

View Issue Details Jump to Notes ] Wiki ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0009533mantisbtsecuritypublic2008-08-13 08:572008-10-18 18:32
Reporterjreese 
Assigned Tojreese 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.1.2 
Target Version1.1.3Fixed in Version1.1.3 
Summary0009533: Mantis should use secure sessions on https connections
DescriptionRecently an issue with session cookies got some public attention:
http://www.heise.de/security/Ausspioniert-trotz-Verschluesselung--/news/meldung/114141 [^]

(in german)

The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted.

Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2.

As I'd consider this a security issue, I've assigned CVE-2008-3102 to it.
TagsNo tags attached.
Attached Files

- Relationships
related to 0009524closedgrangeway Mantis should use secure sessions on https connections 

-  Notes
User avatar (0019143)
jreese (administrator)
2008-08-13 09:00

Fix committed to SVN 1.1.x, r5511.

- Issue History
Date Modified Username Field Change
2008-08-13 08:57 jreese New Issue
2008-08-13 08:57 jreese Issue generated from: 0009524
2008-08-13 08:57 jreese Relationship added related to 0009524
2008-08-13 09:00 jreese Note Added: 0019143
2008-08-13 09:00 jreese Status new => resolved
2008-08-13 09:00 jreese Fixed in Version => 1.1.3
2008-08-13 09:00 jreese Resolution open => fixed
2008-08-13 09:00 jreese Assigned To => jreese
2008-10-09 13:30 giallu View Status private => public
2008-10-18 18:32 giallu Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0767 seconds.
memory usage: 3,023 KB
Powered by Mantis Bugtracker