Greetings
Matthew Daley reported a Null byte poisoning issue with LDAP
authentication affecting MantisBT <= 1.2.17.
A malicious user can exploit this vulnerability to login as any
registered user and without knowing their password, to systems relying
on LDAP for user authentication (e.g. Active Directory or OpenLDAP with
"allow bind_anon_cred").
Patches are available in [1]; full details on the original issue report
can be found at [2]. Can you please assign a CVE ID to this issue ?
Thank you
D. Regad
MantisBT Developer
http://mantisbt.org/
[1] http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master branch)
http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x branch)
[2] http://www.mantisbt.org/bugs/view.php?id=17640