mailing list archives
CVE request: MantisBT text search query can crash site
From: Damien Regad <damien.regad () merckgroup com>
Date: Thu, 21 Mar 2013 10:29:39 +0000 (UTC)
MantisBT user 'jjtest' discovered an issue  affecting MantisBT versions
1.2.12 to 1.2.14 included.
Anybody having access to a MantisBT instance (including anonymous users on
web-facing applications) may issue a search query on the View Issues page; if a
filter combining some criteria and a text search with 'any condition' is
applied, the generated SQL will results in a potentially huge cartesian product
which, depending on the size of the underlying database, has the potential to
bring down the site/db server as it runs out of resources.
The root cause of this behavior is joining a table with a from clause and
setting the join's criteria in the query's where clause, without taking
consideration the operator's precedence (AND/OR).
Full details about this issue can be found in our bugtracker .
A patch for this issue is available  in the project's repository on Github,
and will be included in MantisBT version 1.2.15, which we expect to release in a
couple of weeks once testing is completed.
Kindly assign a CVE ID for this issue.
mailto:mantisbt-dev () lists sourceforge net
- CVE request: MantisBT text search query can crash site Damien Regad (Mar 21)