View Issue Details
|Fixed in Version
|0009533: Mantis should use secure sessions on https connections
Recently an issue with session cookies got some public attention:
The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted.
Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2.
As I'd consider this a security issue, I've assigned CVE-2008-3102 to it.
|No tags attached.