0034640: CVE-2024-45792: Insecure Direct Object References vulnerability with user profiles

ID	Project	Category	View Status	Date Submitted	Last Update
0034640	mantisbt	security	public	2024-09-12 07:10	2024-10-17 08:16

Reporter	c_schmitz	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.26.3
Target Version	2.26.4	Fixed in Version	2.26.4

Summary	0034640: CVE-2024-45792: Insecure Direct Object References vulnerability with user profiles
Description	In the Mantis, users can create accounts and across many functionalities, define profiles. When attempting to update a profile entry, we discovered that the ‘profile_id’ parameter could be manipulated to switch to a different post. This resulted, in a limited, informational only IDOR, allowing users to enumerate other users titles, without the ability to take any actions on the object. To demonstrate this, we created two accounts and confirmed that user B could view the content created by user A. Additionally, we took screenshots of different user profiles for reference.
Steps To Reproduce	See attached PDF for a more detailed description. Please note that the PDF is not for public release.
Tags	No tags attached.

dregad 2024-09-12 09:37 developer ~0069202	Hello Carsten, many thanks for the vulnerability report. I will have a closer look as soon as possible and get back to you. To ensure the attachment remains confidential when this issue becomes public, I will move it to a new private bugnote Question: the report mentions Enumerating other users on the platform but as far as I can tell it does not allow enumerating users, only the titles of other users' profiles. Or am I missing something ?

dregad 2024-09-15 05:29 developer ~0069223	Problem confirmed in latest master; has likely existed for many years (at least since 1.2.0, possibly before).

dregad 2024-09-15 12:04 developer ~0069224	GitHub Security advisory created: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h5q3-fjp4-2x7r and CVE ID requested. @c_schmitz I credited you as reporter for this vulnerability; if anybody else needs to be credited, please let me know their GitHub user ID. I will shortly push a patch to the advisory's private fork. Kindly review it and let me know your feedback.

dregad 2024-09-17 02:36 developer ~0069236	CVE-2024-45792 assigned

MantisBT: master 56bbd02d 2024-09-28 10:47 dregad Committer: community Details Diff	Merge commit from fork Create 2 new Profile API functions: profile_can_update() and profile_ensure_can_update(). Use them in account_prof_update.php and account_prof_edit_page.php to ensure that users can only view and update their own Profiles (or the global ones if they are authorized to). Fixes 0034640, CVE-2024-45792	Affected Issues 0034640
	mod - account_prof_edit_page.php	Diff File
	mod - account_prof_update.php	Diff File
	mod - core/profile_api.php	Diff File
MantisBT: master-2.26 ef0f8202 2024-09-28 10:54 dregad Details Diff	Prevent unauthorized access to other users Profiles Create 2 new Profile API functions: profile_can_update() and profile_ensure_can_update(). Use them in account_prof_update.php and account_prof_edit_page.php to ensure that users can only view and update their own Profiles (or the global ones if they are authorized to). Fixes 0034640, CVE-2024-45792 (cherry picked from commit 56bbd02dc1fb33a8de5898fd17dc3d698c847f55)	Affected Issues 0034640
	mod - account_prof_edit_page.php	Diff File
	mod - account_prof_update.php	Diff File
	mod - core/profile_api.php	Diff File

related to	0034824	resolved	dregad	Multiple execution of the same query with Profile API functions
related to	0034826	closed	atrol	Error when clearing default profile
related to	0034854	closed	atrol	Error when creating global profiles