National Cyber Awareness System

Vulnerability Summary for CVE-2011-3357

Overview

Directory traversal vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter, related to bug_actiongroup_page.php.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f

Type: Patch Information

Hyperlink:https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f

External Source: CONFIRM

Name: https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d

Type: Patch Information

Hyperlink:https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=735514

Type: Patch Information; Exploit

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=735514

External Source: CONFIRM

Name: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297

Type: Patch Information; Exploit

Hyperlink:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297

External Source: MISC

Name: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

Hyperlink:https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

External Source: XF

Name: mantisbt-action-file-include(69588)

Hyperlink:http://xforce.iss.net/xforce/xfdb/69588

External Source: BID

Name: 49448

Hyperlink:http://www.securityfocus.com/bid/49448

External Source: BUGTRAQ

Name: 20110905 Multiple vulnerabilities in MantisBT

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/519547/100/0/threaded

External Source: MLIST

Name: [oss-security] 20110909 Re: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)

Hyperlink:http://www.openwall.com/lists/oss-security/2011/09/09/9

External Source: MLIST

Name: [oss-security] 20110904 Re: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)

Hyperlink:http://www.openwall.com/lists/oss-security/2011/09/04/2

External Source: MLIST

Name: [oss-security] 20110904 CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)

Hyperlink:http://www.openwall.com/lists/oss-security/2011/09/04/1

External Source: CONFIRM

Name: http://www.mantisbt.org/bugs/view.php?id=13281

Hyperlink:http://www.mantisbt.org/bugs/view.php?id=13281

External Source: DEBIAN

Name: DSA-2308

Hyperlink:http://www.debian.org/security/2011/dsa-2308

External Source: SREASON

Name: 8392

Hyperlink:http://securityreason.com/securityalert/8392

External Source: SECUNIA

Name: 45961

Type: Advisory

Hyperlink:http://secunia.com/advisories/45961

External Source: FEDORA

Name: FEDORA-2011-12369

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066061.html

External Source: MLIST

Name: [debian-security-tracker] 20110908 Security Fix for mantis stable 1.1.8

Hyperlink:http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html