View Issue Details

IDProjectCategoryView StatusLast Update
0024365mantisbtsecuritypublic2018-04-29 19:21
ReporterdregadAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0 
Target Version1.3.15Fixed in Version1.3.15 
Summary0024365: CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality
Description

This is a clone of 0024221 for tracking in 1.3.x changelog

TagsNo tags attached.

Relationships

duplicate of 0024221 closeddregad CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.3.x 5cbf97f4

2018-04-25 12:31:45

dregad

Details Diff
Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

@atrol noted that the same vulnerability also existed in bug_report.php,
although in this case the information disclosure is limited to notes and
attachments (issue data itself does not become accessible).

Added an access level check, so that the operation now fails with an
Access Denied error in both cases.

Backported from 1fbcd9bca2f2c77cb61624d36ddee4b3802c38ea
Fixes 0024365, CVE-2018-9839
Affected Issues
0024365
mod - bug_report.php Diff File
mod - bug_report_page.php Diff File

Issue History

Date Modified Username Field Change
2018-04-25 13:02 dregad New Issue
2018-04-25 13:02 dregad Status new => assigned
2018-04-25 13:02 dregad Assigned To => dregad
2018-04-25 13:02 dregad Issue generated from: 0024221
2018-04-25 13:02 dregad Relationship added duplicate of 0024221
2018-04-25 13:05 dregad Changeset attached => MantisBT master-1.3.x 5cbf97f4
2018-04-25 13:05 dregad Status assigned => resolved
2018-04-25 13:05 dregad Resolution open => fixed
2018-04-25 13:05 dregad Fixed in Version => 1.3.15
2018-04-29 19:21 vboctor Status resolved => closed