MantisBT 1.2.8 Released

Global announcements, rules, administrative notes, etc.

Moderators: Contributor, Developer

MantisBT 1.2.8 Released

Postby atrol » Sep 06, 2011 10:18 am

MantisBT 1.2.8 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are advised
to upgrade to this release.

Paulino Calderon from Websec, High-Tech Bridge Security Research Lab and
Paul Richards discovered 3 vulnerabilities:
- 1x local file inclusion (LFI)/directory traversal
- 2x cross site scriptin (XSS)

These vulnerabilities could have very severe consequences for users of
MantisBT, particularly as a result of the local file inclusion
vulnerability. If an attacker can upload their own PHP script to the
server as an attachment, they may be able to execute this script using
the LFI vulnerability.

Refer to issues #13191 and #13281 for detailed information:

http://www.mantisbt.org/bugs/view.php?id=13191
http://www.mantisbt.org/bugs/view.php?id=13281

A full changelog for 1.2.8 can be found at:

http://www.mantisbt.org/bugs/changelog_ ... ion_id=139

The release can be downloaded at:

http://www.mantisbt.org/download.php
Please use Search before posting and read the Manual
Use Mantis2Go to try MantisBT on Windows or to reproduce issues
atrol
Site Admin
 
Posts: 6711
Joined: Mar 26, 2008 4:37 pm
Location: Germany

Return to Announcements

Who is online

Users browsing this forum: No registered users and 1 guest