Dependency Graph

View IssueRelationship GraphHorizontalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0037075mantisbtapi soappublic2026-04-18 17:252026-05-31 20:10
Reporterninjasec Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Product Version2.28.1 
Target Version2.28.4 
Summary0037075: SOAP Issue Update Implicitly Reassigns Reporter To The Caller When reporter Is Omitted
Description

mc_issue_update() defaults $t_reporter_id to the authenticated SOAP caller
when the submitted issue object does not contain a reporter field:

$t_reporter_id = isset( $p_issue['reporter'] ) ? mci_get_user_id( $p_issue['reporter'] ) : $t_user_id;

As a result, a normal SOAP update that omits reporter silently rewrites the
issue reporter to the current user.

Steps To Reproduce

  1. Create a test issue as REPORTER (id = 2)

  2. Check issue state

    mysql> SELECT id, reporter_id, summary FROM mantis_bug_table WHERE id=42897;
+-------+-------------+----------------+
| id    | reporter_id | summary        |
+-------+-------------+----------------+
| 42897 |           2 | Test for 37075 |
+-------+-------------+----------------+

  3. Execute SOAP request as UPDATER (id = 3)

    
POST http://localhost/mantis/api/soap/mantisconnect.php
Content-Type: text/xml

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:mc="http://futureware.biz"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soapenv:Header/>
<soapenv:Body>
<mc:mc_issue_update>
<username>{{username}}</username>
<password>{{password}}</password>
<issueId>42897</issueId>
<issue xsi:type="mc:IssueData">
<summary>Test for 37075 - updated via SOAP</summary>
<description>updated via SOAP</description>
</issue>
</mc:mc_issue_update>
</soapenv:Body>
</soapenv:Envelope>


4. Confirm reporter was changed

mysql> SELECT id, reporter_id, summary FROM mantis_bug_table WHERE id=42897;
+-------+-------------+-----------------------------------+
| id | reporter_id | summary |
+-------+-------------+-----------------------------------+
| 42897 | 3 | Test for 37075 - updated via SOAP |
+-------+-------------+-----------------------------------+


Expected behavior:; unchanged reporter_id
Additional Information

Severity:
High

Type:
Ownership corruption / authorization flaw

Affected code:
api/soap/mc_issue_api.php

Impact:
Any SOAP caller who updates an issue without explicitly resubmitting the
original reporter will hijack issue ownership to themselves.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0037199 resolveddregad Missing Authorization Check on Reporter Field in mc_issue_update Allows UPDATER-Level User to Forge Issue Ownership 

Activities

dregad

dregad

2026-05-31 20:10

developer   ~0071208

a normal SOAP update that omits reporter silently rewrites the issue reporter to the current user.

I confirm the reported behavior. however, the update is not silent, as the change is duly recorded in the issue's history so I would not qualify this as "hijacking the issue ownership".

While it may be undesired and confusing to change the issue reporter when it's not specified in the payload, IMHO this is just a regular SOAP API bug, and not a security issue / vulnerability.

I updated the steps to reproduce with proper, repeatable instructions.