Powered by MantisBT 2.27.0-dev-master-449ddbf76
Copyright © 2000 - 2024 MantisBT Team
Contact administrator for assistance
Copyright © 2000 - 2024 MantisBT Team
Contact administrator for assistance
Page execution time: 0.1642 seconds
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009533 | mantisbt | security | public | 2008-08-13 08:57 | 2008-10-18 18:32 |
| Reporter | jreese | Assigned To | jreese | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.1.2 | ||||
| Target Version | 1.1.3 | Fixed in Version | 1.1.3 | ||
| Summary | 0009533: Mantis should use secure sessions on https connections | ||||
| Description | Recently an issue with session cookies got some public attention: (in german) The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted. Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2. As I'd consider this a security issue, I've assigned CVE-2008-3102 to it. | ||||
| Tags | No tags attached. | ||||