Hi team, A security update is needed for current mantis stable version (1.1.8+dfsg-10). (The CVE is not yet published) I have prepared new version (1.1.8+dfsg-10squeeze1). A multiple XSS/LFI and remote arbitrary code execution vulnerabilites have been discovered which will work against all 1.2.x releases of MantisBT 1) XSS injection via PHP_SELF 2) LFI and XSS via bug_actiongroup pages 3) XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php Details of these vulnerabilities are provided at [1], [2] and [3]. CVE requests have been submitted to the oss-security mailing list as per [1]. *About debian versions* mantis | 1.2.6-1 | wheezy mantis | 1.2.7-1 | sid 1.2.7-1 includes all needed fixes for these vulnerabilites. wheezy update is ongoing and tomorrow will be completed. mantis | 1.1.8+dfsg-10 | squeeze Is only affected by 2) LFI and XSS via bug_actiongroup pages mantis | 1.1.6+dfsg-2lenny4 | lenny Is only affected by 1) XSS injection via PHP_SELF I've just prepared the new security package (mantis_1.1.8+dfsg-10squeeze1) and your revision and confirmation to upload is needed. A debdiff file is attached to this message. Now I'm working in 1.1.6 security version to solved these issues, in colaboration with MantisBT Team. Within a few days I will send the security update for old-stable. Please advise if assistance is required or you need more information. Thanks in advance for your time. Best regards, Sils [1] http://www.openwall.com/lists/oss-security/2011/09/04/1 [2] http://www.mantisbt.org/bugs/view.php?id=13191 [3] http://www.mantisbt.org/bugs/view.php?id=13281 PS: please cc me, I'm not in debian-security list.
diff -Nru mantis-1.1.8+dfsg/debian/changelog mantis-1.1.8+dfsg/debian/changelog
--- mantis-1.1.8+dfsg/debian/changelog 2010-10-31 17:10:10.000000000 +0100
+++ mantis-1.1.8+dfsg/debian/changelog 2011-09-08 01:52:21.000000000 +0200
@@ -1,3 +1,17 @@
+mantis (1.1.8+dfsg-10squeeze1) stable-security; urgency=high
+
+ * Urgency high: Fixes critical LFI/XSS vulnerabilites (BTS #640297)
+ 1) XSS injection via PHP_SELF : not affected
+ 2) LFI and XSS via bug_actiongroup pages: fixed
+ 3) Projax XSS issues with unescaped parameters: not affected
+ * debian/patches:
+ + added: Multiple vulnerabilities (LFI/XSS injection)
+ Thanks to David Hicks, MantisBT developer.
+ 11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff
+ 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff
+
+ -- Silvia Alvarez <sils@powered-by-linux.com> Tue, 06 Sep 2011 08:33:40 +0200
+
mantis (1.1.8+dfsg-10) unstable; urgency=low
* debian/po/vi.po: Updated. (Closes: #601930)
diff -Nru mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff
--- mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff 1970-01-01 01:00:00.000000000 +0100
+++ mantis-1.1.8+dfsg/debian/patches/11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff 2011-09-08 01:52:21.000000000 +0200
@@ -0,0 +1,295 @@
+#
+# Description: LFI and XSS via group actions 1
+# Implements checking to see which options are available
+# to the user for the issues which are currently shown on
+# view bug pages. Options are only displayed in the
+# dropdown list if the user is able to use the option on at
+# least one of the bugs displayed.
+# Author: David Hicks <d@hx.id.au>
+# Bug: http://www.mantisbt.org/bugs/view.php?id=13281
+# Last-Update: 2011-09-05
+#
+Index: mantis/core/columns_api.php
+===================================================================
+--- mantis.orig/core/columns_api.php 2011-09-06 07:43:27.409465292 +0200
++++ mantis/core/columns_api.php 2011-09-06 07:43:59.402065926 +0200
+@@ -383,11 +383,23 @@
+ # $p_columns_target: see COLUMNS_TARGET_* in constant_inc.php
+ function print_column_selection( $p_row, $p_columns_target = COLUMNS_TARGET_VIEW_PAGE ) {
+ if ( $p_columns_target != COLUMNS_TARGET_CSV_PAGE ) {
+- global $t_checkboxes_exist, $t_update_bug_threshold;
+-
++ global $g_checkboxes_exist;
+ echo '<td>';
+- if ( access_has_bug_level( $t_update_bug_threshold, $p_row['id'] ) ) {
+- $t_checkboxes_exist = true;
++ if( access_has_any_project( config_get( 'report_bug_threshold', null, null, $p_bug->project_id ) ) ||
++ # !TODO: check if any other projects actually exist for the bug to be moved to
++ access_has_project_level( config_get( 'move_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ # !TODO: factor in $g_auto_set_status_to_assigned == ON
++ access_has_project_level( config_get( 'update_bug_assign_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ access_has_project_level( config_get( 'delete_bug_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ # !TODO: check to see if the bug actually has any different selectable workflow states
++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ access_has_project_level( config_get( 'set_bug_sticky_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ access_has_project_level( config_get( 'change_view_status_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ access_has_project_level( config_get( 'add_bugnote_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ access_has_project_level( config_get( 'tag_attach_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ||
++ access_has_project_level( config_get( 'roadmap_update_threshold', null, null, $p_bug->project_id ), $p_bug->project_id ) ) {
++ $g_checkboxes_exist = true;
+ printf( "<input type=\"checkbox\" name=\"bug_arr[]\" value=\"%d\" />" , $p_row['id'] );
+ } else {
+ echo " ";
+Index: mantis/core/print_api.php
+===================================================================
+--- mantis.orig/core/print_api.php 2011-09-06 07:43:59.330064579 +0200
++++ mantis/core/print_api.php 2011-09-06 07:43:59.406066005 +0200
+@@ -28,6 +28,7 @@
+ require_once( $t_core_dir . 'prepare_api.php' );
+ require_once( $t_core_dir . 'profile_api.php' );
+ require_once( $t_core_dir . 'last_visited_api.php' );
++ require_once( $t_core_dir . 'bug_group_action_api.php' );
+
+ ### Print API ###
+
+@@ -1001,67 +1002,20 @@
+ } # end for
+ }
+ # --------------------
+- # @@@ preliminary support for multiple bug actions.
+- function print_all_bug_action_option_list() {
+- $commands = array( 'MOVE' => lang_get('actiongroup_menu_move'),
+- 'COPY' => lang_get('actiongroup_menu_copy'),
+- 'ASSIGN' => lang_get('actiongroup_menu_assign'),
+- 'CLOSE' => lang_get('actiongroup_menu_close'),
+- 'DELETE' => lang_get('actiongroup_menu_delete'),
+- 'RESOLVE' => lang_get('actiongroup_menu_resolve'),
+- 'SET_STICKY' => lang_get( 'actiongroup_menu_set_sticky' ),
+- 'UP_PRIOR' => lang_get('actiongroup_menu_update_priority'),
+- 'UP_STATUS' => lang_get('actiongroup_menu_update_status'),
+- 'UP_CATEGORY' => lang_get('actiongroup_menu_update_category'),
+- 'VIEW_STATUS' => lang_get( 'actiongroup_menu_update_view_status' ),
+- 'EXT_ADD_NOTE' => lang_get( 'actiongroup_menu_add_note' ),
+- 'EXT_ATTACH_TAGS' => lang_get( 'actiongroup_menu_attach_tags' ),
+- );
+-
+- $t_project_id = helper_get_current_project();
+-
+- if ( ALL_PROJECTS != $t_project_id ) {
+- $t_user_id = auth_get_current_user_id();
+-
+- if ( access_has_project_level( config_get( 'update_bug_threshold' ), $t_project_id ) ) {
+- $commands['UP_FIXED_IN_VERSION'] = lang_get( 'actiongroup_menu_update_fixed_in_version' );
+- }
+-
+- if ( access_has_project_level( config_get( 'roadmap_update_threshold' ), $t_project_id ) ) {
+- $commands['UP_TARGET_VERSION'] = lang_get( 'actiongroup_menu_update_target_version' );
+- }
+-
+- $t_custom_field_ids = custom_field_get_linked_ids( $t_project_id );
+-
+- foreach( $t_custom_field_ids as $t_custom_field_id ) {
+- # if user has not access right to modify the field, then there is no
+- # point in showing it.
+- if ( !custom_field_has_write_access_to_project( $t_custom_field_id, $t_project_id, $t_user_id ) ) {
+- continue;
+- }
+-
+- $t_custom_field_def = custom_field_get_definition( $t_custom_field_id );
+- $t_command_id = 'custom_field_' . $t_custom_field_id;
+- $t_command_caption = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) );
+- $commands[$t_command_id] = string_display( $t_command_caption );
+- }
++ /**
++ * Print a dropdown list of all bug actions available to a user for a specified
++ * set of projects.
++ * @param array $p_projects An array containing one or more project IDs
++ * @return null
++ */
++ function print_all_bug_action_option_list( $p_project_ids = null ) {
++ $t_commands = bug_group_action_get_commands( $p_project_ids);
++ while( list( $t_action_id, $t_action_label ) = each( $t_commands ) ) {
++ echo '<option value="' . $t_action_id . '">' . $t_action_label . '</option>';
+ }
++ }
+
+- $t_custom_group_actions = config_get( 'custom_group_actions' );
+-
+- foreach( $t_custom_group_actions as $t_custom_group_action ) {
+- # use label if provided to get the localized text, otherwise fallback to action name.
+- if ( isset( $t_custom_group_action['label'] ) ) {
+- $commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['label'] );
+- } else {
+- $commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['action'] );
+- }
+- }
+
+- while (list ($key,$val) = each ($commands)) {
+- PRINT "<option value=\"".$key."\">".$val."</option>";
+- }
+- }
+ # --------------------
+ # list of users that are NOT in the specified project and that are enabled
+ # if no project is specified use the current project
+Index: mantis/core/bug_group_action_api.php
+===================================================================
+--- mantis.orig/core/bug_group_action_api.php 2011-09-06 07:43:27.425465594 +0200
++++ mantis/core/bug_group_action_api.php 2011-09-06 07:45:24.127656147 +0200
+@@ -151,4 +151,126 @@
+ $t_function_name = 'action_' . $p_action . '_process';
+ return $t_function_name( $p_bug_id );
+ }
++
++/**
++ * Get a list of bug group actions available to the current user for one or
++ * more projects.
++ * @param array $p_projects An array containing one or more project IDs
++ * @return null
++ */
++function bug_group_action_get_commands( $p_project_ids = null ) {
++ if ( $p_project_ids === null || count( $p_project_ids ) == 0 ) {
++ $p_project_ids = array( ALL_PROJECTS );
++ }
++
++ $t_commands = array();
++ foreach( $p_project_ids as $t_project_id ) {
++
++ if( !isset( $t_commands['MOVE'] ) &&
++ access_has_project_level( config_get( 'move_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['MOVE'] = lang_get( 'actiongroup_menu_move' );
++ }
++
++ if( !isset( $t_commands['COPY'] ) &&
++ access_has_any_project( config_get( 'report_bug_threshold', null, null, $t_project_id ) ) ) {
++ $t_commands['COPY'] = lang_get( 'actiongroup_menu_copy' );
++ }
++
++ if( !isset( $t_commands['ASSIGN'] ) &&
++ access_has_project_level( config_get( 'update_bug_assign_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ if( ON == config_get( 'auto_set_status_to_assigned', null, null, $t_project_id ) &&
++ access_has_project_level( access_get_status_threshold( config_get( 'bug_assigned_status', null, null, $t_project_id ), $t_project_id ), $t_project_id ) ) {
++ $t_commands['ASSIGN'] = lang_get( 'actiongroup_menu_assign' );
++ } else {
++ $t_commands['ASSIGN'] = lang_get( 'actiongroup_menu_assign' );
++ }
++ }
++
++ if( !isset( $t_commands['CLOSE'] ) &&
++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) &&
++ access_has_project_level( config_get( 'allow_reporter_close', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['CLOSE'] = lang_get( 'actiongroup_menu_close' );
++ }
++
++ if( !isset( $t_commands['DELETE'] ) &&
++ access_has_project_level( config_get( 'delete_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['DELETE'] = lang_get( 'actiongroup_menu_delete' );
++ }
++
++ if( !isset( $t_commands['RESOLVE'] ) &&
++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) &&
++ access_has_project_level( access_get_status_threshold( config_get( 'bug_resolved_status_threshold', null, null, $t_project_id ), $t_project_id ), $t_project_id ) ) {
++ $t_commands['RESOLVE'] = lang_get( 'actiongroup_menu_resolve' );
++ }
++
++ if( !isset( $t_commands['SET_STICKY'] ) &&
++ access_has_project_level( config_get( 'set_bug_sticky_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['SET_STICKY'] = lang_get( 'actiongroup_menu_set_sticky' );
++ }
++
++ if( !isset( $t_commands['UP_PRIOR'] ) &&
++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['UP_PRIOR'] = lang_get( 'actiongroup_menu_update_priority' );
++ }
++
++ if( !isset( $t_commands['UP_STATUS'] ) &&
++ access_has_project_level( config_get( 'update_bug_status_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['UP_STATUS'] = lang_get( 'actiongroup_menu_update_status' );
++ }
++
++ if( !isset( $t_commands['UP_CATEGORY'] ) &&
++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['UP_CATEGORY'] = lang_get( 'actiongroup_menu_update_category' );
++ }
++
++ if( !isset( $t_commands['VIEW_STATUS'] ) &&
++ access_has_project_level( config_get( 'change_view_status_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['VIEW_STATUS'] = lang_get( 'actiongroup_menu_update_view_status' );
++ }
++
++ if( !isset( $t_commands['EXT_ADD_NOTE'] ) &&
++ access_has_project_level( config_get( 'add_bugnote_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['EXT_ADD_NOTE'] = lang_get( 'actiongroup_menu_add_note' );
++ }
++
++ if( !isset( $t_commands['EXT_ATTACH_TAGS'] ) &&
++ access_has_project_level( config_get( 'tag_attach_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['EXT_ATTACH_TAGS'] = lang_get( 'actiongroup_menu_attach_tags' );
++ }
++
++ if( !isset( $t_commands['UP_FIXED_IN_VERSION'] ) &&
++ access_has_project_level( config_get( 'update_bug_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['UP_FIXED_IN_VERSION'] = lang_get( 'actiongroup_menu_update_fixed_in_version' );
++ }
++
++ if( !isset( $t_commands['UP_TARGET_VERSION'] ) &&
++ access_has_project_level( config_get( 'roadmap_update_threshold', null, null, $t_project_id ), $t_project_id ) ) {
++ $t_commands['UP_TARGET_VERSION'] = lang_get( 'actiongroup_menu_update_target_version' );
++ }
++
++ $t_custom_field_ids = custom_field_get_linked_ids( $t_project_id );
++ foreach( $t_custom_field_ids as $t_custom_field_id ) {
++ if( !custom_field_has_write_access_to_project( $t_custom_field_id, $t_project_id ) ) {
++ continue;
++ }
++ $t_custom_field_def = custom_field_get_definition( $t_custom_field_id );
++ $t_command_id = 'custom_field_' . $t_custom_field_id;
++ $t_command_caption = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) );
++ $t_commands[$t_command_id] = string_display( $t_command_caption );
++ }
++ }
++
++ $t_custom_group_actions = config_get( 'custom_group_actions' );
++
++ foreach( $t_custom_group_actions as $t_custom_group_action ) {
++ # use label if provided to get the localized text, otherwise fallback to action name.
++ if( isset( $t_custom_group_action['label'] ) ) {
++ $t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['label'] );
++ } else {
++ $t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['action'] );
++ }
++ }
++
++ return $t_commands;
++}
+ ?>
+Index: mantis/view_all_inc.php
+===================================================================
+--- mantis.orig/view_all_inc.php 2011-09-06 07:43:27.437465819 +0200
++++ mantis/view_all_inc.php 2011-09-06 07:43:59.406066005 +0200
+@@ -38,10 +38,9 @@
+ list( $t_dir, ) = split( ',', $t_filter['dir'] );
+ }
+
+- $t_checkboxes_exist = false;
++ $g_checkboxes_exist = false;
+
+ $t_icon_path = config_get( 'icon_path' );
+- $t_update_bug_threshold = config_get( 'update_bug_threshold' );
+
+ $t_columns = helper_get_columns_to_view( COLUMNS_TARGET_VIEW_PAGE );
+
+@@ -186,11 +185,11 @@
+ <tr>
+ <td class="left" colspan="<?php echo $col_count-2; ?>">
+ <?php
+- if ( $t_checkboxes_exist && ON == config_get( 'use_javascript' ) ) {
++ if ( $g_checkboxes_exist && ON == config_get( 'use_javascript' ) ) {
+ echo "<input type=\"checkbox\" name=\"all_bugs\" value=\"all\" onclick=\"checkall('bug_action', this.form.all_bugs.checked)\" /><span class=\"small\">" . lang_get( 'select_all' ) . '</span>';
+ }
+
+- if ( $t_checkboxes_exist ) {
++ if ( $g_checkboxes_exist ) {
+ ?>
+ <select name="action">
+ <?php print_all_bug_action_option_list() ?>
diff -Nru mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff
--- mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff 1970-01-01 01:00:00.000000000 +0100
+++ mantis-1.1.8+dfsg/debian/patches/12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff 2011-09-08 01:52:21.000000000 +0200
@@ -0,0 +1,158 @@
+#
+# Description: LFI and XSS via group actions 2
+# Rework the bug action group api to convert this to an object
+# and to validate calls to require once.
+# This leads to a security issue identified by IBM Appscan
+# program, whereby calls to require_once are not validated.
+# From: https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d
+# Bug: http://www.mantisbt.org/bugs/view.php?id=13281
+# Last-Update: 2011-09-05
+#
+Index: mantis/bug_actiongroup_ext.php
+===================================================================
+--- mantis.orig/bug_actiongroup_ext.php 2011-09-07 22:57:53.597258693 +0200
++++ mantis/bug_actiongroup_ext.php 2011-09-07 23:00:18.627936560 +0200
+@@ -37,9 +37,10 @@
+ $f_action = gpc_get_string( 'action' );
+ $f_bug_arr = gpc_get_int_array( 'bug_arr', array() );
+
+- $t_action_include_file = 'bug_actiongroup_' . $f_action . '_inc.php';
++ $t_form_name = 'bug_actiongroup_' . $f_action;
++
+
+- require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . $t_action_include_file );
++ bug_group_action_init( $f_action );
+
+ # group bugs by project
+ $t_projects_bugs = array();
+Index: mantis/bug_actiongroup_ext_page.php
+===================================================================
+--- mantis.orig/bug_actiongroup_ext_page.php 2011-09-07 22:57:53.605258836 +0200
++++ mantis/bug_actiongroup_ext_page.php 2011-09-07 23:01:07.460837898 +0200
+@@ -25,25 +25,11 @@
+
+ require_once( $t_core_path.'bug_group_action_api.php' );
+
+- auth_ensure_user_authenticated();
+-
+- $f_action = gpc_get_string( 'action' );
+- $f_bug_arr = gpc_get_int_array( 'bug_arr', array() );
+-
+- # redirect to view issues if nothing is selected
+- if ( is_blank( $f_action ) || ( 0 == sizeof( $f_bug_arr ) ) ) {
+- print_header_redirect( 'view_all_bug_page.php' );
+- }
+-
+- # redirect to view issues page if action doesn't have ext_* prefix.
+- # This should only occur if this page is called directly.
+- $t_external_action_prefix = 'EXT_';
+- if ( strpos( $f_action, $t_external_action_prefix ) !== 0 ) {
+- print_header_redirect( 'view_all_bug_page.php' );
+- }
+
+ $t_external_action = strtolower( substr( $f_action, strlen( $t_external_action_prefix ) ) );
+- $t_form_fields_page = 'bug_actiongroup_' . $t_external_action . '_inc.php';
++ $t_form_name = 'bug_actiongroup_' . $t_external_action;
++
++ bug_group_action_init( $t_external_action );
+
+ bug_group_action_print_top();
+ ?>
+@@ -53,7 +39,6 @@
+ <div align="center">
+ <form method="post" action="bug_actiongroup_ext.php">
+ <input type="hidden" name="action" value="<?php echo string_attribute( $t_external_action ) ?>" />
+- <input type="hidden" name="action" value="<?php echo string_attribute( $t_external_action ) ?>" />
+ <table class="width75" cellspacing="1">
+ <?php
+ bug_group_action_print_title( $t_external_action );
+Index: mantis/bug_actiongroup_page.php
+===================================================================
+--- mantis.orig/bug_actiongroup_page.php 2011-09-07 22:57:53.613258990 +0200
++++ mantis/bug_actiongroup_page.php 2011-09-07 23:00:18.627936560 +0200
+@@ -41,6 +41,8 @@
+ # run through the issues to see if they are all from one project
+ $t_project_id = ALL_PROJECTS;
+ $t_multiple_projects = false;
++ $t_projects = array();
++
+ foreach( $f_bug_arr as $t_bug_id ) {
+ $t_bug = bug_get( $t_bug_id );
+ if ( $t_project_id != $t_bug->project_id ) {
+@@ -48,11 +50,13 @@
+ $t_multiple_projects = true;
+ } else {
+ $t_project_id = $t_bug->project_id;
++ $t_projects[$t_project_id] = $t_project_id;
+ }
+ }
+ }
+ if ( $t_multiple_projects ) {
+ $t_project_id = ALL_PROJECTS;
++ $t_projects[ALL_PROJECTS] = ALL_PROJECTS;
+ }
+ # override the project if necessary
+ if( $t_project_id != helper_get_current_project() ) {
+Index: mantis/core/bug_group_action_api.php
+===================================================================
+--- mantis.orig/core/bug_group_action_api.php 2011-09-07 23:00:18.615936333 +0200
++++ mantis/core/bug_group_action_api.php 2011-09-07 23:00:18.627936560 +0200
+@@ -22,6 +22,26 @@
+ # --------------------------------------------------------
+ ?>
+ <?php
++
++ /**
++ * Initialise bug action group api
++ */
++ function bug_group_action_init( $p_action ) {
++ $t_valid_actions = bug_group_action_get_commands( current_user_get_accessible_projects() );
++ $t_action = strtoupper( $p_action );
++
++ if ( !isset( $t_valid_actions[$t_action] ) && !isset ( $t_valid_actions['EXT_' . $t_action] ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ }
++
++ $t_include_file = config_get_global( 'absolute_path' ) . 'bug_actiongroup_' . $p_action . '_inc.php';
++ if ( !file_exists( $t_include_file ) ) {
++ trigger_error( ERROR_GENERIC, ERROR );
++ } else {
++ require_once( $t_include_file );
++ }
++ }
++
+ /**
+ * Print the top part for the bug action group page.
+ */
+@@ -103,7 +123,6 @@
+ * @param $p_action The custom action name without the "EXT_" prefix.
+ */
+ function bug_group_action_print_action_fields( $p_action ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
+ $t_function_name = 'action_' . $p_action . '_print_fields';
+ $t_function_name();
+ }
+@@ -115,7 +134,6 @@
+ * @param $p_action The custom action name without the "EXT_" prefix.
+ */
+ function bug_group_action_print_title( $p_action ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
+ $t_function_name = 'action_' . $p_action . '_print_title';
+ $t_function_name();
+ }
+@@ -131,7 +149,6 @@
+ * @returns array( bug_id => reason for failure to validate )
+ */
+ function bug_group_action_validate( $p_action, $p_bug_id ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
+ $t_function_name = 'action_' . $p_action . '_validate';
+ return $t_function_name( $p_bug_id );
+ }
+@@ -147,7 +164,6 @@
+ * @returns array( bug_id => reason for failure to process )
+ */
+ function bug_group_action_process( $p_action, $p_bug_id ) {
+- require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'bug_actiongroup_' . $p_action . '_inc.php' );
+ $t_function_name = 'action_' . $p_action . '_process';
+ return $t_function_name( $p_bug_id );
+ }
diff -Nru mantis-1.1.8+dfsg/debian/patches/series mantis-1.1.8+dfsg/debian/patches/series
--- mantis-1.1.8+dfsg/debian/patches/series 2010-10-28 15:13:46.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/patches/series 2011-09-08 01:52:21.000000000 +0200
@@ -8,3 +8,5 @@
08-CVE-2010-2574.diff
09-CVE-2010-3303-04-and-05.diff
10-CVE-2010-3763.diff
+11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff
+12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff
Attachment:
signature.asc
Description: OpenPGP digital signature