Debian Security Advisory

DSA-161-1 mantis -- privilege escalation

Date Reported:
04 Sep 2002
Affected Packages:
mantis
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2002-1115, CVE-2002-1116.
More information:

A problem with user privileges has been discovered in the Mantis package, a PHP based bug tracking system. The Mantis system didn't check whether a user is permitted to view a bug, but displays it right away if the user entered a valid bug id.

Another bug in Mantis caused the 'View Bugs' page to list bugs from both public and private projects when no projects are accessible to the current user.

These problems have been fixed in version 0.17.1-2.5 for the current stable distribution (woody) and in version 0.17.5-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the mantis package.

Additional information:

We recommend that you upgrade your mantis packages.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.5.dsc
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.5.diff.gz
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.5_all.deb

MD5 checksums of the listed files are available in the original advisory.