| ../irclogs/#mantishelp.2010-08-04.log | ||
| --- scribe started --- | 00:00 | |
| Yisas | Hello | 10:20 |
|---|---|---|
| Yisas | I just started using mantis, and i am facing some problems with the Active Directory connection | 10:21 |
| Yisas | I have follow the instructions but it is not working | 10:21 |
| Yisas | as I dont get any error message... where does mantis generate the log files related with the authentication? | 10:23 |
| Yisas | I just add the following line in confing_inc.php | 10:23 |
| Yisas | $g_log_level = LOG_EMAIL | LOG_EMAIL_RECIPIENT | LOG_FILTERING | LOG_AJAX; | 10:23 |
| Yisas | and $g_log_destination = 'file:c:/Mantis/logs/mantis.log'; | 10:24 |
| Yisas | but they dont trace anything related with authentication | 10:24 |
| Yisas | any idea? please help | 10:24 |
| kirillka | $g_log_level = LOG_EMAIL | LOG_EMAIL_RECIPIENT | LOG_FILTERING | LOG_AJAX | LOG_LDAP; | 10:27 |
| Yisas | but | 10:31 |
| Yisas | LOG_LDAP does not apear in constant_inc.php. Is it valid? | 10:31 |
| Yisas | I apply the changes but I dont get any trace in the log file | 10:37 |
| Yisas | I get this error 1400 ERROR_LDAP_AUTH_FAILED' | 10:37 |
| Yisas | any idea? do you know any good guide that explein how to connect Active Directory and Mantis? | 10:38 |
| kirillka | Yisas: what mantisbt version? | 10:39 |
| kirillka | Yisas: did you read http://www.mantisbt.org/wiki/doku.php/mantisbt:active_directory ? | 10:41 |
| Yisas | yes i did | 11:23 |
| Yisas | I am stuck with the APPLICATION ERROR #1400 | 11:23 |
| Yisas | how could I get more information about the error? | 11:23 |
| Yisas | 11:25 | |
| nuclear_eclipse | Yisas: afaik we don't log anything regarding authentication, so you'll either need to investigate the code, or check your Active Directory server log to see if it has any logs of the error | 11:29 |
| nuclear_eclipse | giallu: since when is it a security vulnerability if it requires a trusted user to do something malicious? :P | 11:31 |
| davidinc | mkdir -p build/administration_guide/images cp images/* build/administration_guide/images/ cp: cannot stat `images/*': No such file or directory make: [build/administration_guide/administration_guide.html] Error 1 (ignored) cp ../../template/stylesheet.css build/administration_guide/ | 11:56 |
| davidinc | hi | 11:57 |
| Yisas | I am stuck. Has Mantis a debug mode? or is it possible to print trace messages? | 11:57 |
| nuclear_eclipse | davidinc: yeah, just ignore that, it's part of the build template we used | 11:57 |
| nuclear_eclipse | Yisas: the closest to a debug mode is turning on $g_show_detailed_errors | 11:58 |
| Yisas | thanks nucle_ecliepse, now I have more info to work on | 12:00 |
| dhx_z | nuclear_eclipse: hey | 12:07 |
| nuclear_eclipse | hi dhx_z | 12:07 |
| dhx_m | a new bug in the admin console I see | 12:19 |
| dhx_m | nothing too interesting from the looks of things | 12:19 |
| dhx_m | I know of a number of bugs in there relating to custom fields | 12:19 |
| dhx_m | but they're very minor risk as you usually a) need a valid CSRF token, b) need to be an administrator | 12:19 |
| nuclear_eclipse | dhx_m: did you see my string of emails? | 12:20 |
| dhx_m | nuclear_eclipse: yep | 12:20 |
| nuclear_eclipse | k | 12:20 |
| dhx_m | FYI I'll spend some time in the next few days fully stripping MantisBT of JavaScript | 12:21 |
| nuclear_eclipse | yet another example of why I hate web development :P | 12:21 |
| dhx_m | so that we can use X-Content-Security :) | 12:21 |
| dhx_m | I already did most of it | 12:21 |
| nuclear_eclipse | dhx_m: that's still not a full solution though | 12:21 |
| dhx_m | no, but it's nice :) | 12:21 |
| nuclear_eclipse | we can't just rely on features of tomorrow's browsers and call it a day :P | 12:22 |
| dhx_m | Firefox 4 will be out later this year | 12:22 |
| dhx_m | that's true | 12:22 |
| dhx_m | it's just another safety layer really | 12:22 |
| nuclear_eclipse | anywho, I gotta get to work, bbiax | 12:23 |
| nuclear_eclipse | bbiab* | 12:23 |
| dhx_m | ok cya | 12:23 |
| dhx_m | @giallu: MantisBT 1.1.8 is not safe to use, it has 20+ unpatched XSS vulnerabilities, lacks support for security features such as the HttpOnly cookie flag, lacks CSRF protection on every form, lacks clickjacking protection, etc | 12:48 |
| foobot | dhx_m: Error: "giallu:" is not a valid command. | 12:48 |
| nuclear_eclipse | dhx_m: sounds like you need to get busy :P | 12:59 |
| dhx_m | nuclear_eclipse: unable to reproduce here... have you managed to get anything? | 12:59 |
| dhx_m | I'm emailing for more information | 12:59 |
| dhx_m | sounds to me like they might have just run a vulnerability scanner which has returned a false positve? | 13:00 |
| nuclear_eclipse | I can replicate it on my server with 1.2.2 | 13:00 |
| nuclear_eclipse | well, I can replicate *something* :P | 13:00 |
| dhx_m | nuclear_eclipse: PM me a link please :) | 13:00 |
| nuclear_eclipse | dhx_m: that's the problem | 13:01 |
| nuclear_eclipse | the XSS only happens when you try to delete a category | 13:01 |
| dhx_m | aha | 13:01 |
| dhx_m | which needs a CSRF token | 13:01 |
| nuclear_eclipse | ie, create a category named "<script>alert("foo")</script>" and then try to delete it | 13:01 |
| dhx_m | and unless you've worked out how to crack 168bit hashes (generated using /dev/urandom + Whirlpool hashed with a secret nonce) in the case of 1.3.x, good luck :) | 13:02 |
| nuclear_eclipse | yes, but it's still technically an XSS attack, if you have a malicious manager, he creates some funky category, and you go behind him to try and delete it, you unwittingly become the victim | 13:02 |
| dhx_m | it might even be higher than 168bit for those tokens heh | 13:02 |
| dhx_m | 192 I think | 13:02 |
| nuclear_eclipse | CSRF doesn't matter in this case | 13:02 |
| dhx_m | hmm true | 13:02 |
| dhx_m | ok confirmed | 13:03 |
| dhx_m | will fix | 13:03 |
| dhx_m | their information was lacking | 13:03 |
| nuclear_eclipse | the same thing could happen with maliciously-named plugins if you try to uninstall it, because in both cases we send raw strings to helper_ensure_confirmed() | 13:03 |
| nuclear_eclipse | dhx_m: that's why I said I found "something" | 13:03 |
| nuclear_eclipse | my worry is that what I found isn't the actual vulnerability in question, just because they are so freakin vague about it | 13:04 |
| dhx_m | my guess is they fuzzed MantisBT with a web app scanner | 13:04 |
| dhx_m | which creates bogus categories then it follows links later to delete said categories | 13:05 |
| dhx_m | I know what you mean | 13:05 |
| nuclear_eclipse | esp because I only found this problem by searching code | 13:05 |
| nuclear_eclipse | hi giallu | 13:06 |
| nuclear_eclipse | giallu: you got a moment? | 13:06 |
| giallu | nuclear_eclipse, hi | 13:11 |
| giallu | I git bisected the issue :) | 13:12 |
| dhx_m | giallu: hi, did you get my comment a few minutes ago? :) | 13:12 |
| nuclear_eclipse | giallu: http://mantisforge.org/irclogs/%23mantishelp.2010-08-04.log.html | 13:13 |
| nuclear_eclipse | that's IRC logs from the start of this convo | 13:14 |
| giallu | dhx_m, not sure, I've got an IRC disconnect | 13:14 |
| dhx_m | giallu: MantisBT 1.1.8 is not safe to use, it has 20+ unpatched XSS vulnerabilities, lacks support for security features such as the HttpOnly cookie flag, lacks CSRF protection on every form, lacks clickjacking protection, etc | 13:14 |
| dhx_m | that was my comment ;) | 13:14 |
| giallu | eh | 13:15 |
| giallu | anyway | 13:15 |
| giallu | the vuln was added by paulr :) | 13:16 |
| giallu | in 6b9680 | 13:16 |
| dhx_m | I noticed you were asking about backporting and whether 1.1.8 was affected | 13:16 |
| nuclear_eclipse | I just created two issue in our tracker | 13:16 |
| dhx_m | thanks, I was just doing that too :p | 13:17 |
| nuclear_eclipse | somehow I'm not surprised... | 13:17 |
| giallu | :D | 13:17 |
| nuclear_eclipse | dhx_m: issue 12230 and 12231 | 13:17 |
| dhx_m | already have patches :) | 13:17 |
| nuclear_eclipse | yep, just wanted to make sure they had appropriate reports to go with them | 13:17 |
| nuclear_eclipse | please be sure to mention the report #s in the commit messages | 13:18 |
| dhx_m | yep thanks, was just writing some issue reports myself heh | 13:18 |
| nuclear_eclipse | ok | 13:18 |
| CIA-25 | Mantisbt: hickseydr * r2e3977000625 /manage_plugin_uninstall.php: Fix #12231: XSS vulnerability when uninstalling badly named plugins | 13:29 |
| CIA-25 | Mantisbt: hickseydr * r083c34f06ca9 /manage_proj_cat_delete.php: Fix #12230: XSS vulnerability when deleting maliciously named categories | 13:29 |
| CIA-25 | Mantisbt: hickseydr master-1.2.x * ra374a7c9a488 /manage_proj_cat_delete.php: Fix #12230: XSS vulnerability when deleting maliciously named categories | 13:29 |
| CIA-25 | Mantisbt: hickseydr master-1.2.x * rf60d0cfbed15 /manage_plugin_uninstall.php: Fix #12231: XSS vulnerability when uninstalling badly named plugins | 13:29 |
| nuclear_eclipse | ty dhx_m | 13:30 |
| dhx_m | np | 13:37 |
| giallu | my connection is on crack today :( | 14:00 |
| nuclear_eclipse | sounds exciting | 14:00 |
| CIA-25 | Mantisbt: hickseydr * r7ab71d0105e6 /core/cfdefs/cfdef_standard.php: Fix #12232: Multiple XSS issues with custom field enumeration values | 14:07 |
| CIA-25 | Mantisbt: hickseydr master-1.2.x * r243ff6f65b76 /core/cfdefs/cfdef_standard.php: Fix #12232: Multiple XSS issues with custom field enumeration values | 14:07 |
| davidinc | The error doesn't affect the process docbook works tnx nuclear_eclipse: | 14:57 |
| davidinc | I'm having problem on the ManTweet plugin who can I ask support. I don't see vboctor on the chat | 14:59 |
| davidinc | I think he is the author of the plugin. | 14:59 |
| nuclear_eclipse | davidinc: yeah, he rarely ever shows up these days | 15:00 |
| Github | mantisbt: master David Hicks * 083c34f (1 files in 1 dirs): Fix #12230: XSS vulnerability when deleting maliciously named categories ... | 16:30 |
| Github | mantisbt: master David Hicks * 2e39770 (1 files in 1 dirs): Fix #12231: XSS vulnerability when uninstalling badly named plugins ... | 16:30 |
| Github | mantisbt: master David Hicks * 7ab71d0 (1 files in 1 dirs): Fix #12232: Multiple XSS issues with custom field enumeration values ... | 16:30 |
| Github | mantisbt: master commits bc80ecd...7ab71d0 - http://bit.ly/ca6kAX | 16:30 |
| Github | mantisbt: master-1.2.x David Hicks * a374a7c (1 files in 1 dirs): Fix #12230: XSS vulnerability when deleting maliciously named categories ... | 16:30 |
| Github | mantisbt: master-1.2.x David Hicks * f60d0cf (1 files in 1 dirs): Fix #12231: XSS vulnerability when uninstalling badly named plugins ... | 16:30 |
| Github | mantisbt: master-1.2.x David Hicks * 243ff6f (1 files in 1 dirs): Fix #12232: Multiple XSS issues with custom field enumeration values ... | 16:30 |
| Github | mantisbt: master-1.2.x commits 49070ba...243ff6f - http://bit.ly/9MBIhz | 16:30 |
| julien__ | hi everybody | 20:34 |
| julien__ | I try to install mantis on a hosting service but I don't have admin access to the database | 20:34 |
| julien__ | is there a definition of the database in a sql file ? | 20:34 |
| paulr | dhx_m | 23:34 |
| * paulr pokes dhx_m | 23:38 | |
| * paulr wants to talk to dhx_m about 3 of his last 4 fixes | 23:39 | |
| paulr | dhx_m: if your here in 10 hours, i'll catch you then :) | 23:57 |
Generated by irclog2html.py