View Issue Details

IDProjectCategoryView StatusLast Update
0012278mantisbtsecuritypublic2019-12-03 10:52
Reporterpklanka Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status acknowledgedResolutionreopened 
PlatformAllOSAll 
Product Version1.1.8 
Summary0012278: User enumeration possible
Description

Any anonymous user can enumerate all the users (userIDs) in Mantis. This information could be used by anonymous users to bruteforce the accounts.

Steps To Reproduce

Access the page view_filters.php from an anonymous account - (e.g. https://mantisbt.org/bugs/view_filters_page.php) and get the list of users in the system.

TagsNo tags attached.

Activities

jreese

jreese

2010-08-23 08:00

reporter   ~0026414

This is intended behavior. Any anonymous user would easily be able to gather user IDs just by looking through the list of issues anyways, so the usefulness of the feature greatly outweighs the potential misuse. Mantis already has an option in place to curb brute force attacks by setting a limit on failed logins, $g_max_failed_login_count.

pklanka

pklanka

2010-08-23 08:46

reporter   ~0026418

Agreed! This should be a valid behavior when the anonymous account is able to access the bugs.

However, if the anonymous user is configured such that it cannot read the bugs from the system, this vulnerability exposes the sensitive user login information.

As a security best practice, it is recommended to protect the user Ids from being exposed in such a scenario - thus avoiding brute force attack from remotest possibility. In addition, information such as these could be used in social engineering scenarios (apart from brute force vulns) in order to extract other sensitive details from the users.

atrol

atrol

2010-08-28 11:50

developer   ~0026496

Suggestion:

Introduce new configuration option
$g_show_user_name_threshold = DEVELOPER; // or REPORTER to avoid too many questions after upgrading

Change function user_get_name
If current user has not enough rights to see the name, return something like
lang_get( 'prefix_for_anonymized_users' ) . (int) $p_user_id;

To avoid social engineering this might still not be enough, for example if someone is aware that user with id 18101 is pklanka.

dregad

dregad

2012-10-16 09:17

developer   ~0033223

Unassigned from jreese as he is no longer actively developing.

Issue History

Date Modified Username Field Change
2010-08-22 22:15 pklanka New Issue
2010-08-23 08:00 jreese Note Added: 0026414
2010-08-23 08:00 jreese Status new => resolved
2010-08-23 08:00 jreese Resolution open => no change required
2010-08-23 08:00 jreese Assigned To => jreese
2010-08-23 08:46 pklanka Note Added: 0026418
2010-08-23 08:46 pklanka Status resolved => feedback
2010-08-23 08:46 pklanka Resolution no change required => reopened
2010-08-28 11:50 atrol Note Added: 0026496
2012-10-16 09:04 dregad Assigned To jreese =>
2012-10-16 09:17 dregad Note Added: 0033223
2019-12-03 10:52 dregad Status feedback => acknowledged