Vulnerability Assessment & Network Security Forums

If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important. If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.

Home >> Browse Vulnerability Assessment Database >> CGI abuses >> Mantis < 0.19.3 Multiple Flaws

Vulnerability Assessment Details

Mantis < 0.19.3 Multiple Flaws

Vulnerability Assessment Summary
Checks for flaws in Mantis < 0.19.3

Detailed Explanation for this Vulnerability Assessment

Summary :

The remote web server contains a PHP application that is affected by
multiple flaws.

Description :

The remote version of Mantis suffers from a remote file inclusion
vulnerability. Provided PHP's 'register_globals' setting is enabled,
A possible hacker may be able to leverage this issue to read arbitrary files
on the local host or to execute arbitrary PHP code, possibly taken
from third-party hosts.

In addition, the installed version reportedly may be prone to SQL
injection, cross-site scripting, and information disclosure attacks.

See also :

http://secunia.com/secunia_research/2005-46/advisory/
http://sourceforge.net/mailarchive/forum.php?thread_id=8517463&forum_id=7369

Solution :

Upgrade to Mantis 0.19.3 or newer.

Network Security Threat Level:

Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)

Networks Security ID: 15210, 15212, 15227

Vulnerability Assessment Copyright: This script is Copyright (C) 2005 David Maciejak

Cables, Connectors