Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Damien Regad <damien.regad-5ypYqlS8vzm41k5uCYKmRQ <at> public.gmane.org>
Subject: CVE request: MantisBT text search query can crash site
Newsgroups: gmane.comp.security.oss.general
Date: Thursday 21st March 2013 10:29:39 UTC (over 3 years ago)
Dear all,

MantisBT user 'jjtest' discovered an issue [1] affecting MantisBT versions
1.2.12 to 1.2.14 included.

Anybody having access to a MantisBT instance (including anonymous users on
web-facing applications) may issue a search query on the View Issues page;
if a
filter combining some criteria and a text search with 'any condition' is
applied, the generated SQL will results in a potentially huge cartesian
product
which, depending on the size of the underlying database, has the potential
to
bring down the site/db server as it runs out of resources.

The root cause of this behavior is joining a table with a from clause and
setting the join's criteria in the query's where clause, without taking
consideration the operator's precedence (AND/OR).

Full details about this issue can be found in our bugtracker [1].

A patch for this issue is available [2] in the project's repository on
Github,
and will be included in MantisBT version 1.2.15, which we expect to release
in a
couple of weeks once testing is completed.

References:
[1] http://www.mantisbt.org/bugs/view.php?id=15573
[2] https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7

Kindly assign a CVE ID for this issue.

Damien Regad
MantisBT developer
mailto:mantisbt-dev-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
http://www.mantisbt.org/bugs/
 
CD: 4ms