 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.61345 |
| Category: | Fedora Local Security Checks |
| Title: | Fedora Core 9 FEDORA-2008-6647 (mantis) |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing an update to mantis announced via advisory FEDORA-2008-6647. Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Mantis has been installed on Windows, MacOS, OS/2, and a variety of Unix operating systems. Any web browser should be able to function as a client. Documentation can be found in: /usr/share/doc/mantis-1.1.2 When the package has finished installing, you will need to perform some additional configuration steps these are described in: /usr/share/doc/mantis-1.1.2/README.Fedora Update Information: Update to upstream version 1.1.2, fixing following security issues: - 0008974: XSS Vulnerability in filters - 0008975: CSRF Vulnerabilities in user_create (CVE-2008-2276) - 0008976: Remote Code Execution in adm_config - 0009154: arbitrary file inclusion through user preferences page See upstream changelog for details on all bugs fixed in new upstream version: http://www.mantisbt.org/bugs/changelog_page.php ChangeLog: * Sat Jul 19 2008 Gianluca Sforna - 1.1.2-1 - new upstream release - add patch for bugnotes notification References: [ 1 ] Bug #446926 - CVE-2008-2276 mantis: multiple CSRF issues https://bugzilla.redhat.com/show_bug.cgi?id=446926 [ 2 ] Bug #448410 - mantis: code execution by users with administrative privileges https://bugzilla.redhat.com/show_bug.cgi?id=448410 [ 3 ] Bug #448404 - mantis: XSS in return_dynamic_filters.php https://bugzilla.redhat.com/show_bug.cgi?id=448404 [ 4 ] Bug #456044 - mantis: arbitrary file inclusion through user preferences page https://bugzilla.redhat.com/show_bug.cgi?id=456044 Solution: Apply the appropriate updates. This update can be installed with the yum update program. Use su -c 'yum update mantis' at the command line. For more information, refer to Managing Software with yum, available at http://docs.fedoraproject.org/yum/. http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2008-6647 Risk factor : High CVSS Score: 6.8 |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2008-2276 BugTraq ID: 29297 http://www.securityfocus.com/bid/29297 Bugtraq: 20080520 Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities (Google Search) http://marc.info/?l=bugtraq&m=121130774617956&w=4 https://www.exploit-db.com/exploits/5657 https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00801.html https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00813.html http://www.gentoo.org/security/en/glsa/glsa-200809-10.xml http://secunia.com/advisories/30270 http://secunia.com/advisories/31171 http://secunia.com/advisories/31972 http://www.vupen.com/english/advisories/2008/1598/references XForce ISS Database: mantis-usercreate-csrf(42447) https://exchange.xforce.ibmcloud.com/vulnerabilities/42447 |
| Copyright | Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |