Mantis 1.2.19 vulnerability

plmaltais · Post by **plmaltais** » 17 Feb 2015, 22:54

Hi,

I found a vulnerability in the current stable release of MantisBT (1.2.19). Using this vulnerability, an unauthenticated user can hijack another user account. Please provide an email address where I can send the vulnerability informations. I will release the technical details of the attack on my blog 90 days after this post.

Thank you,

Pier-Luc Maltais

atrol · Post by **atrol** » 18 Feb 2015, 07:08

Please follow the instructions at https://www.mantisbt.org/wiki/doku.php/ ... y_problems

Rez · Post by **Rez** » 19 Feb 2015, 23:43

Mr. Pier-Luc Maltais , Isn't it would be better if you share your vulnerability information here?
Thanks

atrol · Post by **atrol** » 20 Feb 2015, 07:06

Rez wrote:Isn't it would be better if you share your vulnerability information here?

Why? Is there any advantage for MantisBT users?

Rez · Post by **Rez** » 21 Feb 2015, 22:33

Well, not sure, Just want to see the things

atrol · Post by **atrol** » 22 Feb 2015, 16:03

Rez wrote:Just want to see the things

Also attackers.
Still no advantage for MantisBT users

Rez · Post by **Rez** » 22 Feb 2015, 23:39

atrol · Post by **atrol** » 27 Feb 2015, 06:42

Rez wrote:Just want to see the things

You can now, https://www.mantisbt.org/bugs/view.php?id=19384

Mantis Bug Tracker - Forums

Mantis 1.2.19 vulnerability

Mantis 1.2.19 vulnerability

Re: Mantis 1.2.19 vulnerability

Re: Mantis 1.2.19 vulnerability

Re: Mantis 1.2.19 vulnerability

Re: Mantis 1.2.19 vulnerability

Re: Mantis 1.2.19 vulnerability

Re: Mantis 1.2.19 vulnerability

Re: Mantis 1.2.19 vulnerability