View Issue Details

IDProjectCategoryView StatusLast Update
0022736mantisbtnewspublic2017-04-25 17:18
Reportertaken Assigned Toatrol  
PriorityimmediateSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
Product Version2.3.0 
Target VersionFixed in Version 
Summary0022736: Strange e-mail from: vboctor@mantisbt.org about Critical Issue
Description

Hello,
I just get strange e-mail from vboctor@mantisbt.org about Critical Issue - can You confirm this?

MantisBT Critical Security Issue - PATCH NOW
Dear MantisBT users,

We would like to inform you of a critical security issue, allowing a remote attacker to reset any user's password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).

MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.

The purpose of this message is to give you advance notice and offer you a chance to patch your systems before disclosure of the vulnerability to the general public.

You will find the fix for the issue attached to this message. If you do not know how to apply a unified diff patch, you may also manually update verify.php:

locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):

if( $f_confirm_hash != $t_token_confirm_hash ) {

change it to

if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {

You are strongly advised to patch your systems immediately.

We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org) for discovering, responsibly reporting and working with us towards resolution of this vulnerability.

For security of other MantisBT users, please keep this information confidential until disclosure via CVE-2017-7615 and the releases with the patches being published.

Thanks,
-MantisBT Team

TagsNo tags attached.

Relationships

related to 0022690 closeddregad CVE-2017-7615: Account verification page allows resetting any user's password 

Activities

atrol

atrol

2017-04-16 10:06

developer   ~0056576

I just get strange e-mail from vboctor@mantisbt.org about Critical Issue - can You confirm this?

I can confirm it.

I set view status to private.

Please keep in mind what you have been told in the e-mail.

For security of other MantisBT users, please keep this information confidential until disclosure via CVE-2017-7615 and the releases with the patches being published.

taken

taken

2017-04-16 12:03

reporter   ~0056577

So this is spam or this is real issue?

atrol

atrol

2017-04-16 12:06

developer   ~0056578

Last edited: 2017-04-16 12:07

View 2 revisions

This is a real issue, that's why I set view status to private.

taken

taken

2017-04-16 12:10

reporter   ~0056579

Oh!
Sorry for that i was thinking this is spam, because mail from was other replay to was other and Return-Path was other... looks like spam... :

Return-Path: <bounces+709756-dee0-admin=wset.edu.pl@sendgrid.mantisbt.org>
From: "MantisBT" <vboctor@mantisbt.org>
Reply-to: vboctor@mantisbt.org

Best Regards and sorry.
Marek

taken

taken

2017-04-16 12:24

reporter   ~0056580

Btw: Looks like it`s public now:
http://www.openwall.com/lists/oss-security/2017/04/16/2

Best Regards

atrol

atrol

2017-04-16 12:35

developer   ~0056581

Looks like it`s public now:

Right, I saw it a few hours ago.
It's a quite irresponsible disclosure towards MantisBT administrators.
This is exactly what should have been prevented with the pre-announcement.

Issue History

Date Modified Username Field Change
2017-04-16 09:56 taken New Issue
2017-04-16 10:03 atrol View Status public => private
2017-04-16 10:06 atrol Assigned To => atrol
2017-04-16 10:06 atrol Status new => resolved
2017-04-16 10:06 atrol Resolution open => fixed
2017-04-16 10:06 atrol Note Added: 0056576
2017-04-16 10:12 atrol Resolution fixed => no change required
2017-04-16 12:03 taken Note Added: 0056577
2017-04-16 12:06 atrol Note Added: 0056578
2017-04-16 12:07 atrol Note Edited: 0056578 View Revisions
2017-04-16 12:10 taken Note Added: 0056579
2017-04-16 12:24 taken Note Added: 0056580
2017-04-16 12:35 atrol Note Added: 0056581
2017-04-16 13:07 dregad Relationship added related to 0022690
2017-04-25 17:18 atrol Status resolved => closed
2017-04-25 17:18 atrol View Status private => public