View Issue Details

IDProjectCategoryView StatusLast Update
0014015mantisbtsecuritypublic2014-09-23 18:05
ReporteratrolAssigned Todhx 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.9 
Target Version1.2.11Fixed in Version1.2.11 
Summary0014015: Users with access level REPORTER cannot delete own attachments despite allow_delete_own_attachments = ON;
Description

Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments.
After pushing the delete button you get "Access Denied"

This error message is caused by the following line in bug_file_delete.php as default setting of update_bug_threshold is UPDATER.

access_ensure_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id );

ATM we can't replace this line just by checking allow_delete_own_attachments == ON || checking update_bug_threshold

I will enter another related issue in short term which will show why I reported this issue with category "security" instead of "attachments" although it seems at first sight, that the user does not get enough access rights.

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0014016 closedatrol CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment 

Activities

dhx

dhx

2012-06-02 07:42

reporter   ~0031980

Thanks Roland for another great bug report.

I've patched this issue ready for the next release (1.2.11).

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036279

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master f82f98cc

2012-06-02 04:10:32

dhx

Details Diff
Fix 0014016: delete_attachments_threshold is not checked

Roland Becker (MantisBT developer) reported the following
security/access control bug:

In a default installation delete_attachments_threshold is set to
DEVELOPER but having access level >= update_bug_threshold is enough to
delete attachments if form_security_validation is set to OFF.

MantisBT was not checking the access level of the user requesting
deletion of an attachment to an issue against
$g_delete_attachments_threshold.

The new access control logic for deleting an issue attachment is now:
1. Does the user have an access level of at least update_bug_threshold?
2. If the user is the owner of the file and
$g_allow_delete_own_attachments=OFF, does this user have an access level
of at least delete_attachments_threshold?
3. If the user is not the owner of the file, do they have an access
level of at least delete_attachments_threshold?

Also refer to issue 0014015 for discussion on whether
update_bug_threshold should be part of the access control logic.

The relevant SOAP API call has also been updated.

Conflicts:
bug_file_delete.php
Affected Issues
0014015, 0014016
mod - api/soap/mc_issue_attachment_api.php Diff File
mod - bug_file_delete.php Diff File

MantisBT: master-1.2.x ceafe6f0

2012-06-02 04:10:32

dhx

Details Diff
Fix 0014016: delete_attachments_threshold is not checked

Roland Becker (MantisBT developer) reported the following
security/access control bug:

In a default installation delete_attachments_threshold is set to
DEVELOPER but having access level >= update_bug_threshold is enough to
delete attachments if form_security_validation is set to OFF.

MantisBT was not checking the access level of the user requesting
deletion of an attachment to an issue against
$g_delete_attachments_threshold.

The new access control logic for deleting an issue attachment is now:
1. Does the user have an access level of at least update_bug_threshold?
2. If the user is the owner of the file and
$g_allow_delete_own_attachments=OFF, does this user have an access level
of at least delete_attachments_threshold?
3. If the user is not the owner of the file, do they have an access
level of at least delete_attachments_threshold?

Also refer to issue 0014015 for discussion on whether
update_bug_threshold should be part of the access control logic.

The relevant SOAP API call has also been updated.
Affected Issues
0014015, 0014016
mod - api/soap/mc_issue_attachment_api.php Diff File
mod - bug_file_delete.php Diff File

MantisBT: master 31d11568

2012-06-02 04:35:19

dhx

Details Diff
Fix 0014015: attachment deletion: remove update_bug_threshold check

As reported by Roland Becker (MantisBT developer):

Although configuration option allow_delete_own_attachments is set to ON
reporters cannot delete their own attachments. After pushing the delete
button you get "Access Denied"

Issue 0014016 implemented correct attachment deletion access control
checks against delete_attachments_threshold. We should be using this
threshold instead of update_bug_threshold because attachments aren't
linked to the core fields of an issue -- they are frequently related to
comments (bugnotes) provided by less privileged users.

$g_allow_delete_own_attachments should now work again... safely.
Affected Issues
0014015, 0014016
mod - api/soap/mc_issue_attachment_api.php Diff File
mod - bug_file_delete.php Diff File

MantisBT: master-1.2.x 628e9370

2012-06-02 04:35:19

dhx

Details Diff
Fix 0014015: attachment deletion: remove update_bug_threshold check

As reported by Roland Becker (MantisBT developer):

Although configuration option allow_delete_own_attachments is set to ON
reporters cannot delete their own attachments. After pushing the delete
button you get "Access Denied"

Issue 0014016 implemented correct attachment deletion access control
checks against delete_attachments_threshold. We should be using this
threshold instead of update_bug_threshold because attachments aren't
linked to the core fields of an issue -- they are frequently related to
comments (bugnotes) provided by less privileged users.

$g_allow_delete_own_attachments should now work again... safely.

Conflicts:
bug_file_delete.php
Affected Issues
0014015, 0014016
mod - api/soap/mc_issue_attachment_api.php Diff File
mod - bug_file_delete.php Diff File

Issue History

Date Modified Username Field Change
2012-03-07 16:53 atrol New Issue
2012-03-07 16:54 atrol Description Updated View Revisions
2012-03-07 16:59 atrol Relationship added related to 0014016
2012-04-02 02:33 atrol Target Version 1.2.10 => 1.2.11
2012-06-02 06:44 dhx Assigned To => dhx
2012-06-02 06:44 dhx Status new => assigned
2012-06-02 07:42 dhx Note Added: 0031980
2012-06-02 07:42 dhx Status assigned => resolved
2012-06-02 07:42 dhx Fixed in Version => 1.2.11
2012-06-02 07:42 dhx Resolution open => fixed
2012-06-02 07:43 dhx View Status private => public
2012-06-02 08:00 dhx Changeset attached => MantisBT master 31d11568
2012-06-02 08:00 dhx Changeset attached => MantisBT master f82f98cc
2012-06-02 08:00 dhx Changeset attached => MantisBT master-1.2.x 628e9370
2012-06-02 08:00 dhx Changeset attached => MantisBT master-1.2.x ceafe6f0
2012-06-06 23:53 jreese Status resolved => closed
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036279
2013-04-05 18:33 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check