View Issue Details

IDProjectCategoryView StatusLast Update
0025492mantisbtsecuritypublic2022-05-16 08:51
ReporterChrisG Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Target Version2.26.0Fixed in Version2.26.0 
Summary0025492: Printing (print_all_bug_page) is a perf/security risk
Description

Live profiling of our server showed that 20,182 queries may be executed by the trivially achieved operation of printing out from "view all issues" when there's no filter. This was an intensive 40 second web request.

There needs to be some kind of control of this. I'd suggest implementing a maximum printable issues feature, that is controlled by access level. If set to zero for an access level then there would be no print button at all. The default config would set it 0 for guests to stop spiders hitting it.

TagsNo tags attached.

Relationships

related to 0022224 resolveddregad Access Restrictions to "Print Reports", "CSV Export", "Excel Export" in view all bugs page 

Activities

ChrisG

ChrisG

2019-02-19 15:21

reporter   ~0061522

This is related to 0004798.

c_schmitz

c_schmitz

2020-06-04 10:03

reporter   ~0064063

I second this is an issue. This alllows for a simple DDOS attack on Mantis instances that have a big number of bugs.

dregad

dregad

2022-05-12 11:27

developer   ~0066569

I agree that this is a risk, and in fact this very instance of MantisBT has been hit by DOS attacks leveraging print_all_bug_page_word.php sevaral times in the past, which sometimes ended up killing the database server.

Please see 0022224 and the related PR which I just rebased and tested; the approach is slightly different from what @ChrisG suggested in this issue's description, i.e. implement a simple threshold restricting access to the export and print functions instead of defining a maximum number of printable issues, but I believe this should be sufficient to do the job.

@ChrisG, @c_schmitz If you agree, then this issue will be closed when PR https://github.com/mantisbt/mantisbt/pull/1810 gets merged (nothing for you to do). If on the other hand you feel that a solution with a maximum number of issues is needed, then please say so and I'll leave it open (but no promises as for when it would be implemented).

ChrisG

ChrisG

2022-05-12 20:20

reporter   ~0066573

Thanks. The simple approach works for me, I don't see a real need for the granularity I mentioned. The typical tracker user doesn't need to export and print anything. This can be closed as far as I'm concerned.

c_schmitz

c_schmitz

2022-05-13 01:49

reporter   ~0066575

That works for me, too. Thank you!

dregad

dregad

2022-05-13 04:32

developer   ~0066577

Great, thanks both for the feedback.

And for the record, I'm re-qualifying this from printing feature to security issue, given the confirmed potential for DOS attacks.

Related Changesets

MantisBT: master 20cd415e

2022-05-16 08:51

dregad


Committer: community Details Diff
Restrict access to Export and Print Reports

Adds 2 new config options to control access restrictions to these View
Issues page functionalities:

- CSV/Excel Export ($g_export_issues_threshold)
- Print Reports ($g_print_reports_threshold)

The default value for print_reports_threshold is UPDATER, to reduce the
risk of denial of service attacks overloading the server via multiple
concurrent executions of print_all_bug_page_word.php. This changes from
earlier behavior, where access to this function was not restricted.

Fixes 0022224, 0025492,
PR https://github.com/mantisbt/mantisbt/pull/1810
Affected Issues
0022224, 0025492
mod - config_defaults_inc.php Diff File
mod - css/default.css Diff File
mod - csv_export.php Diff File
mod - docbook/Admin_Guide/en-US/config/misc.xml Diff File
mod - excel_xml_export.php Diff File
mod - lang/strings_english.txt Diff File
mod - manage_config_work_threshold_page.php Diff File
mod - manage_config_work_threshold_set.php Diff File
mod - print_all_bug_page.php Diff File
mod - print_all_bug_page_word.php Diff File
mod - view_all_inc.php Diff File