Wednesday, 2010-08-04

*** Joins: davidinc (d5374b7b@gateway/web/freenode/ip.213.55.75.123)		01:22
*** Joins: rolfkleef (~rolf@urtica.xs4all.nl)		01:45
*** Quits: davidinc (d5374b7b@gateway/web/freenode/ip.213.55.75.123) (Ping timeout: 252 seconds)		02:12
*** Joins: davidinc (d5374b7b@gateway/web/freenode/ip.213.55.75.123)		02:19
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 245 seconds)		02:19
*** Joins: Cupertino (~Cupez@unaffiliated/cupertino)		02:23
*** Quits: rolfkleef (~rolf@urtica.xs4all.nl) (Ping timeout: 276 seconds)		02:25
*** Joins: kirillka (~Miranda@global-n01.vester.ru)		02:29
*** Quits: davidinc (d5374b7b@gateway/web/freenode/ip.213.55.75.123) (Ping timeout: 252 seconds)		02:38
*** Joins: Cupez (~Cupez@unaffiliated/cupertino)		02:52
*** Joins: giallu (~giallu@fedora/giallu)		03:13
*** Joins: rolfkleef (~rolf@82-204-82-162.fttx.bbeyond.nl)		03:38
*** Joins: fanno (~Morten@90.184.93.233)		04:23
*** Joins: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk)		04:50
*** Quits: Ragnor (~Ragnor@dslb-188-100-043-079.pools.arcor-ip.net) (Quit: leaving)		04:56
*** Joins: Ragnor (~Ragnor@dslb-188-100-035-111.pools.arcor-ip.net)		05:08
*** Quits: skayser (~ska@vserver01.sebastiankayser.de) (.net .split)		05:28
*** Quits: kirillka (~Miranda@global-n01.vester.ru) (Quit: kirillka)		05:30
*** Joins: skayser (~ska@vserver01.sebastiankayser.de)		05:33
*** Quits: Cupertino (~Cupez@unaffiliated/cupertino) (Quit: I give up...)		05:46
*** Joins: Cupertino (~Cupez@unaffiliated/cupertino)		05:48
*** Joins: kirillka (~Miranda@global-n01.vester.ru)		06:09
*** Joins: Yisas (d509d306@gateway/web/freenode/ip.213.9.211.6)		06:20
Yisas	Hello	06:20
Yisas	I just started using mantis, and i am facing some problems with the Active Directory connection	06:21
Yisas	I have follow the instructions but it is not working	06:21
Yisas	as I dont get any error message... where does mantis generate the log files related with the authentication?	06:23
Yisas	I just add the following line in confing_inc.php	06:23
Yisas	$g_log_level = LOG_EMAIL \| LOG_EMAIL_RECIPIENT \| LOG_FILTERING \| LOG_AJAX;	06:23
Yisas	and $g_log_destination = 'file:c:/Mantis/logs/mantis.log';	06:24
Yisas	but they dont trace anything related with authentication	06:24
Yisas	any idea? please help	06:24
kirillka	$g_log_level = LOG_EMAIL \| LOG_EMAIL_RECIPIENT \| LOG_FILTERING \| LOG_AJAX \| LOG_LDAP;	06:27
Yisas	but	06:31
Yisas	LOG_LDAP does not apear in constant_inc.php. Is it valid?	06:31
Yisas	I apply the changes but I dont get any trace in the log file	06:37
Yisas	I get this error 1400 ERROR_LDAP_AUTH_FAILED'	06:37
Yisas	any idea? do you know any good guide that explein how to connect Active Directory and Mantis?	06:38
kirillka	Yisas: what mantisbt version?	06:39
kirillka	Yisas: did you read http://www.mantisbt.org/wiki/doku.php/mantisbt:active_directory ?	06:41
Yisas	yes i did	07:23
Yisas	I am stuck with the APPLICATION ERROR #1400	07:23
Yisas	how could I get more information about the error?	07:23
Yisas		07:25
nuclear_eclipse	Yisas: afaik we don't log anything regarding authentication, so you'll either need to investigate the code, or check your Active Directory server log to see if it has any logs of the error	07:29
nuclear_eclipse	giallu: since when is it a security vulnerability if it requires a trusted user to do something malicious? :P	07:31
*** Joins: davidinc (d5374b7b@gateway/web/freenode/ip.213.55.75.123)		07:56
davidinc	mkdir -p build/administration_guide/images cp images/* build/administration_guide/images/ cp: cannot stat `images/*': No such file or directory make: [build/administration_guide/administration_guide.html] Error 1 (ignored) cp ../../template/stylesheet.css build/administration_guide/	07:56
davidinc	hi	07:57
Yisas	I am stuck. Has Mantis a debug mode? or is it possible to print trace messages?	07:57
nuclear_eclipse	davidinc: yeah, just ignore that, it's part of the build template we used	07:57
nuclear_eclipse	Yisas: the closest to a debug mode is turning on $g_show_detailed_errors	07:58
Yisas	thanks nucle_ecliepse, now I have more info to work on	08:00
dhx_z	nuclear_eclipse: hey	08:07
nuclear_eclipse	hi dhx_z	08:07
*** dhx_z is now known as dhx_m		08:18
dhx_m	a new bug in the admin console I see	08:19
dhx_m	nothing too interesting from the looks of things	08:19
dhx_m	I know of a number of bugs in there relating to custom fields	08:19
dhx_m	but they're very minor risk as you usually a) need a valid CSRF token, b) need to be an administrator	08:19
nuclear_eclipse	dhx_m: did you see my string of emails?	08:20
dhx_m	nuclear_eclipse: yep	08:20
nuclear_eclipse	k	08:20
dhx_m	FYI I'll spend some time in the next few days fully stripping MantisBT of JavaScript	08:21
nuclear_eclipse	yet another example of why I hate web development :P	08:21
dhx_m	so that we can use X-Content-Security :)	08:21
dhx_m	I already did most of it	08:21
nuclear_eclipse	dhx_m: that's still not a full solution though	08:21
dhx_m	no, but it's nice :)	08:21
nuclear_eclipse	we can't just rely on features of tomorrow's browsers and call it a day :P	08:22
dhx_m	Firefox 4 will be out later this year	08:22
dhx_m	that's true	08:22
dhx_m	it's just another safety layer really	08:22
nuclear_eclipse	anywho, I gotta get to work, bbiax	08:23
nuclear_eclipse	bbiab*	08:23
dhx_m	ok cya	08:23
*** Quits: fanno (~Morten@90.184.93.233) (Read error: Connection reset by peer)		08:44
dhx_m	@giallu: MantisBT 1.1.8 is not safe to use, it has 20+ unpatched XSS vulnerabilities, lacks support for security features such as the HttpOnly cookie flag, lacks CSRF protection on every form, lacks clickjacking protection, etc	08:48
foobot	dhx_m: Error: "giallu:" is not a valid command.	08:48
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 246 seconds)		08:52
*** Joins: alexsander (~alexsande@201.86.205.4.dynamic.adsl.gvt.net.br)		08:54
nuclear_eclipse	dhx_m: sounds like you need to get busy :P	08:59
dhx_m	nuclear_eclipse: unable to reproduce here... have you managed to get anything?	08:59
dhx_m	I'm emailing for more information	08:59
dhx_m	sounds to me like they might have just run a vulnerability scanner which has returned a false positve?	09:00
nuclear_eclipse	I can replicate it on my server with 1.2.2	09:00
nuclear_eclipse	well, I can replicate something :P	09:00
dhx_m	nuclear_eclipse: PM me a link please :)	09:00
nuclear_eclipse	dhx_m: that's the problem	09:01
nuclear_eclipse	the XSS only happens when you try to delete a category	09:01
dhx_m	aha	09:01
dhx_m	which needs a CSRF token	09:01
nuclear_eclipse	ie, create a category named "<script>alert("foo")</script>" and then try to delete it	09:01
dhx_m	and unless you've worked out how to crack 168bit hashes (generated using /dev/urandom + Whirlpool hashed with a secret nonce) in the case of 1.3.x, good luck :)	09:02
nuclear_eclipse	yes, but it's still technically an XSS attack, if you have a malicious manager, he creates some funky category, and you go behind him to try and delete it, you unwittingly become the victim	09:02
dhx_m	it might even be higher than 168bit for those tokens heh	09:02
dhx_m	192 I think	09:02
nuclear_eclipse	CSRF doesn't matter in this case	09:02
dhx_m	hmm true	09:02
dhx_m	ok confirmed	09:03
dhx_m	will fix	09:03
dhx_m	their information was lacking	09:03
nuclear_eclipse	the same thing could happen with maliciously-named plugins if you try to uninstall it, because in both cases we send raw strings to helper_ensure_confirmed()	09:03
nuclear_eclipse	dhx_m: that's why I said I found "something"	09:03
nuclear_eclipse	my worry is that what I found isn't the actual vulnerability in question, just because they are so freakin vague about it	09:04
dhx_m	my guess is they fuzzed MantisBT with a web app scanner	09:04
dhx_m	which creates bogus categories then it follows links later to delete said categories	09:05
dhx_m	I know what you mean	09:05
*** Joins: giallu (~giallu@fedora/giallu)		09:05
nuclear_eclipse	esp because I only found this problem by searching code	09:05
nuclear_eclipse	hi giallu	09:06
nuclear_eclipse	giallu: you got a moment?	09:06
giallu	nuclear_eclipse, hi	09:11
giallu	I git bisected the issue :)	09:12
dhx_m	giallu: hi, did you get my comment a few minutes ago? :)	09:12
nuclear_eclipse	giallu: http://mantisforge.org/irclogs/%23mantishelp.2010-08-04.log.html	09:13
nuclear_eclipse	that's IRC logs from the start of this convo	09:14
giallu	dhx_m, not sure, I've got an IRC disconnect	09:14
dhx_m	giallu: MantisBT 1.1.8 is not safe to use, it has 20+ unpatched XSS vulnerabilities, lacks support for security features such as the HttpOnly cookie flag, lacks CSRF protection on every form, lacks clickjacking protection, etc	09:14
dhx_m	that was my comment ;)	09:14
giallu	eh	09:15
giallu	anyway	09:15
giallu	the vuln was added by paulr :)	09:16
giallu	in 6b9680	09:16
dhx_m	I noticed you were asking about backporting and whether 1.1.8 was affected	09:16
nuclear_eclipse	I just created two issue in our tracker	09:16
dhx_m	thanks, I was just doing that too :p	09:17
nuclear_eclipse	somehow I'm not surprised...	09:17
giallu	:D	09:17
nuclear_eclipse	dhx_m: issue 12230 and 12231	09:17
dhx_m	already have patches :)	09:17
nuclear_eclipse	yep, just wanted to make sure they had appropriate reports to go with them	09:17
nuclear_eclipse	please be sure to mention the report #s in the commit messages	09:18
dhx_m	yep thanks, was just writing some issue reports myself heh	09:18
nuclear_eclipse	ok	09:18
*** Quits: mantisbt_04241 (c2d05861@gateway/web/freenode/ip.194.208.88.97) (Quit: Page closed)		09:19
CIA-25	Mantisbt: hickseydr * r2e3977000625 /manage_plugin_uninstall.php: Fix #12231: XSS vulnerability when uninstalling badly named plugins	09:29
CIA-25	Mantisbt: hickseydr * r083c34f06ca9 /manage_proj_cat_delete.php: Fix #12230: XSS vulnerability when deleting maliciously named categories	09:29
CIA-25	Mantisbt: hickseydr master-1.2.x * ra374a7c9a488 /manage_proj_cat_delete.php: Fix #12230: XSS vulnerability when deleting maliciously named categories	09:29
CIA-25	Mantisbt: hickseydr master-1.2.x * rf60d0cfbed15 /manage_plugin_uninstall.php: Fix #12231: XSS vulnerability when uninstalling badly named plugins	09:29
nuclear_eclipse	ty dhx_m	09:30
dhx_m	np	09:37
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 258 seconds)		09:52
*** Joins: giallu (~giallu@fedora/giallu)		09:58
giallu	my connection is on crack today :(	10:00
nuclear_eclipse	sounds exciting	10:00
*** Quits: kirillka (~Miranda@global-n01.vester.ru) (Quit: kirillka)		10:07
CIA-25	Mantisbt: hickseydr * r7ab71d0105e6 /core/cfdefs/cfdef_standard.php: Fix #12232: Multiple XSS issues with custom field enumeration values	10:07
CIA-25	Mantisbt: hickseydr master-1.2.x * r243ff6f65b76 /core/cfdefs/cfdef_standard.php: Fix #12232: Multiple XSS issues with custom field enumeration values	10:07
*** Joins: mantisbt_45415 (3cbad8df@gateway/web/freenode/ip.60.186.216.223)		10:32
*** Quits: mantisbt_45415 (3cbad8df@gateway/web/freenode/ip.60.186.216.223) (Client Quit)		10:33
davidinc	The error doesn't affect the process docbook works tnx nuclear_eclipse:	10:57
davidinc	I'm having problem on the ManTweet plugin who can I ask support. I don't see vboctor on the chat	10:59
davidinc	I think he is the author of the plugin.	10:59
*** Quits: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk) (Read error: Connection reset by peer)		11:00
nuclear_eclipse	davidinc: yeah, he rarely ever shows up these days	11:00
*** Joins: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk)		11:01
*** Quits: Cupertino (~Cupez@unaffiliated/cupertino) (Quit: I give up...)		11:01
*** Quits: davidinc (d5374b7b@gateway/web/freenode/ip.213.55.75.123) (Ping timeout: 252 seconds)		11:04
*** Parts: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk)		11:18
*** Quits: rolfkleef (~rolf@82-204-82-162.fttx.bbeyond.nl) (Ping timeout: 258 seconds)		11:40
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 245 seconds)		12:15
*** Joins: fanno (~b3g@193.3.95.240)		12:29
*** Joins: Github (~Github@sh1-ext.rs.github.com)		12:30
Github	mantisbt: master David Hicks * 083c34f (1 files in 1 dirs): Fix #12230: XSS vulnerability when deleting maliciously named categories ...	12:30
Github	mantisbt: master David Hicks * 2e39770 (1 files in 1 dirs): Fix #12231: XSS vulnerability when uninstalling badly named plugins ...	12:30
Github	mantisbt: master David Hicks * 7ab71d0 (1 files in 1 dirs): Fix #12232: Multiple XSS issues with custom field enumeration values ...	12:30
Github	mantisbt: master commits bc80ecd...7ab71d0 - http://bit.ly/ca6kAX	12:30
*** Parts: Github (~Github@sh1-ext.rs.github.com)		12:30
*** Joins: Github (~Github@sh1-ext.rs.github.com)		12:30
Github	mantisbt: master-1.2.x David Hicks * a374a7c (1 files in 1 dirs): Fix #12230: XSS vulnerability when deleting maliciously named categories ...	12:30
Github	mantisbt: master-1.2.x David Hicks * f60d0cf (1 files in 1 dirs): Fix #12231: XSS vulnerability when uninstalling badly named plugins ...	12:30
Github	mantisbt: master-1.2.x David Hicks * 243ff6f (1 files in 1 dirs): Fix #12232: Multiple XSS issues with custom field enumeration values ...	12:30
Github	mantisbt: master-1.2.x commits 49070ba...243ff6f - http://bit.ly/9MBIhz	12:30
*** Parts: Github (~Github@sh1-ext.rs.github.com)		12:30
*** Joins: moto-moi (~hylke@cara.xs4all.nl)		12:31
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 240 seconds)		13:19
*** Quits: Cupez (~Cupez@unaffiliated/cupertino) (Quit: I give up...)		14:12
*** Joins: micahg (~micah@ubuntu/member/micahg)		14:30
*** Joins: Cupertino (~Cupez@unaffiliated/cupertino)		14:42
*** Quits: micahg (~micah@ubuntu/member/micahg) (Read error: Connection reset by peer)		15:51
*** Joins: micahg (~micah@ubuntu/member/micahg)		15:52
*** Joins: giallu (~giallu@fedora/giallu)		16:31
*** Joins: julien__ (~julien@53555CF2.cable.casema.nl)		16:33
julien__	hi everybody	16:34
julien__	I try to install mantis on a hosting service but I don't have admin access to the database	16:34
julien__	is there a definition of the database in a sql file ?	16:34
*** Quits: fanno (~b3g@193.3.95.240) (Quit: Leaving.)		16:39
*** Quits: julien__ (~julien@53555CF2.cable.casema.nl) (Quit: leaving)		16:48
*** Quits: Cupertino (~Cupez@unaffiliated/cupertino) (Quit: I give up...)		16:48
*** Quits: alexsander (~alexsande@201.86.205.4.dynamic.adsl.gvt.net.br) (Quit: Saindo)		16:58
*** Quits: moto-moi (~hylke@cara.xs4all.nl) (Quit: Ex-Chat)		17:17
*** Joins: fanno (~Morten@90.184.93.233)		17:24
*** Joins: siebrand_alt (~beis@sm.xs4all.nl)		19:24
*** Quits: siebrand (~beis@sm.xs4all.nl) (Ping timeout: 240 seconds)		19:25
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 265 seconds)		19:29
*** Joins: paulr (~paul@cpc1-enfi9-0-0-cust389.hari.cable.virginmedia.com)		19:34
paulr	dhx_m	19:34
* paulr pokes dhx_m		19:38
* paulr wants to talk to dhx_m about 3 of his last 4 fixes		19:39
paulr	dhx_m: if your here in 10 hours, i'll catch you then :)	19:57
*** Quits: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection)		20:00
*** Joins: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de)		20:00
*** Quits: paulr (~paul@cpc1-enfi9-0-0-cust389.hari.cable.virginmedia.com) ()		20:01
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 265 seconds)		20:47
*** Joins: micahg (~micah@ubuntu/member/micahg)		22:08
*** Quits: fanno (~Morten@90.184.93.233) (Read error: Connection reset by peer)		22:25

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!