0022736: Strange e-mail from: vboctor@mantisbt.org about Critical Issue - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0022736	mantisbt	news	public	2017-04-16 09:56	2017-04-25 17:18

Reporter	taken	Assigned To	atrol
Priority	immediate	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	no change required
Product Version	2.3.0

Summary	0022736: Strange e-mail from: vboctor@mantisbt.org about Critical Issue
Description	Hello, I just get strange e-mail from vboctor@mantisbt.org about Critical Issue - can You confirm this? MantisBT Critical Security Issue - PATCH NOW Dear MantisBT users, We would like to inform you of a critical security issue, allowing a remote attacker to reset any user's password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php). MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon. The purpose of this message is to give you advance notice and offer you a chance to patch your systems before disclosure of the vulnerability to the general public. You will find the fix for the issue attached to this message. If you do not know how to apply a unified diff patch, you may also manually update verify.php: locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions): `if( $f_confirm_hash != $t_token_confirm_hash ) {` change it to `if( $t_token_confirm_hash == null \|\| $f_confirm_hash !== $t_token_confirm_hash ) {` You are strongly advised to patch your systems immediately. We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org) for discovering, responsibly reporting and working with us towards resolution of this vulnerability. For security of other MantisBT users, please keep this information confidential until disclosure via CVE-2017-7615 and the releases with the patches being published. Thanks, -MantisBT Team
Tags	No tags attached.

atrol 2017-04-16 10:06 developer ~0056576	I just get strange e-mail from vboctor@mantisbt.org about Critical Issue - can You confirm this? I can confirm it. I set view status to private. Please keep in mind what you have been told in the e-mail. For security of other MantisBT users, please keep this information confidential until disclosure via CVE-2017-7615 and the releases with the patches being published.

taken 2017-04-16 12:03 reporter ~0056577	So this is spam or this is real issue?

atrol 2017-04-16 12:06 developer ~0056578 Last edited: 2017-04-16 12:07	This is a real issue, that's why I set view status to private.

taken 2017-04-16 12:10 reporter ~0056579	Oh! Sorry for that i was thinking this is spam, because mail from was other replay to was other and Return-Path was other... looks like spam... : Return-Path: bounces+709756-dee0-admin=wset.edu.pl@sendgrid.mantisbt.org From: "MantisBT" vboctor@mantisbt.org Reply-to: vboctor@mantisbt.org Best Regards and sorry. Marek

taken 2017-04-16 12:24 reporter ~0056580	Btw: Looks like it`s public now: http://www.openwall.com/lists/oss-security/2017/04/16/2 Best Regards

atrol 2017-04-16 12:35 developer ~0056581	Looks like it`s public now: Right, I saw it a few hours ago. It's a quite irresponsible disclosure towards MantisBT administrators. This is exactly what should have been prevented with the pre-announcement.