View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0019273 | mantisbt | security | public | 2015-01-27 04:48 | 2015-03-15 19:58 |
Reporter | dregad | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0-beta.1 | ||||
Target Version | 1.3.0-beta.2 | Fixed in Version | 1.3.0-beta.2 | ||
Summary | 0019273: CVE-2014-9572: Improper Access Control in install.php | ||||
Description | This is a clone of 0017939 to track the vulnerability in 1.3.x branch | ||||
Additional Information | Advisory ID: HTB23243 Original report in 0017937 | ||||
Tags | No tags attached. | ||||
MantisBT: master 5e5e5750 2014-12-28 01:29 Details Diff |
Install: disable step 4 (additional config info) This fixes a security issue allowing an attacker to access the installation script and obtain database access credentials. Since the offending install step does not seem to be doing anything useful, the corresponding code block has been commented out. This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue 0017937 (advisory ID HTB23243). Fixes 0017939 |
Affected Issues 0017937, 0017939, 0019273 |
|
mod - admin/install.php | Diff File |