View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0022736||mantisbt||news||public||2017-04-16 09:56||2017-04-25 17:18|
|Priority||immediate||Severity||minor||Reproducibility||have not tried|
|Status||closed||Resolution||no change required|
|Target Version||Fixed in Version|
|Summary||0022736: Strange e-mail from: firstname.lastname@example.org about Critical Issue|
MantisBT Critical Security Issue - PATCH NOW
We would like to inform you of a critical security issue, allowing a remote attacker to reset any user's password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).
MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.
The purpose of this message is to give you advance notice and offer you a chance to patch your systems before disclosure of the vulnerability to the general public.
You will find the fix for the issue attached to this message. If you do not know how to apply a unified diff patch, you may also manually update verify.php:
locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):
change it to
You are strongly advised to patch your systems immediately.
We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org) for discovering, responsibly reporting and working with us towards resolution of this vulnerability.
For security of other MantisBT users, please keep this information confidential until disclosure via CVE-2017-7615 and the releases with the patches being published.
|Tags||No tags attached.|
I can confirm it.
I set view status to private.
Please keep in mind what you have been told in the e-mail.
So this is spam or this is real issue?
This is a real issue, that's why I set view status to private.
Best Regards and sorry.
Btw: Looks like it`s public now:
Right, I saw it a few hours ago.
|2017-04-16 09:56||taken||New Issue|
|2017-04-16 10:03||atrol||View Status||public => private|
|2017-04-16 10:06||atrol||Assigned To||=> atrol|
|2017-04-16 10:06||atrol||Status||new => resolved|
|2017-04-16 10:06||atrol||Resolution||open => fixed|
|2017-04-16 10:06||atrol||Note Added: 0056576|
|2017-04-16 10:12||atrol||Resolution||fixed => no change required|
|2017-04-16 12:03||taken||Note Added: 0056577|
|2017-04-16 12:06||atrol||Note Added: 0056578|
|2017-04-16 12:07||atrol||Note Edited: 0056578||View Revisions|
|2017-04-16 12:10||taken||Note Added: 0056579|
|2017-04-16 12:24||taken||Note Added: 0056580|
|2017-04-16 12:35||atrol||Note Added: 0056581|
|2017-04-16 13:07||dregad||Relationship added||related to 0022690|
|2017-04-25 17:18||atrol||Status||resolved => closed|
|2017-04-25 17:18||atrol||View Status||private => public|