[Secure-testing-team] Re: Bug#335938: mantis: Mantis 't_core_path'
File Inclusion Vulnerability
Martin Schulze
joey at infodrom.org
Thu Oct 27 12:56:48 UTC 2005
Moritz Muehlenhoff wrote:
> Thijs Kinkhorst wrote:
> > > Another security problem has been found in mantis. Insufficient
> > > input sanitising of the t_core_path parameter may be exploited to perform
> > > arbitrary file inclusion. Please see
> > > http://secunia.com/secunia_research/2005-46/advisory/ for details.
> >
> > Hello Moritz,
> >
> > Thank you for your report. I've prepared an NMU for all the recent
> > security problems in Mantis which is now awaiting review by my sponsor.
>
> I assume you've prepared packages of 0.19.3?
> This would address the SQL injection issue and the other XSS in view_all_set
> as well, which are both not yet in the BTS.
>
> The latest issues have been assigned CVE-2005-333[6789], BTW.
Do you have an idea which of them affect woody/sarge?
Regards,
Joey
--
A mathematician is a machine for converting coffee into theorems. Paul Erdös
Please always Cc to me when replying to me on the lists.
More information about the Secure-testing-team
mailing list