0025492: Printing (print_all_bug_page) is a perf/security risk - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0025492	mantisbt	security	public	2019-02-19 15:19	2023-10-31 16:32

Reporter	ChrisG	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	2.26.0	Fixed in Version	2.26.0

Summary	0025492: Printing (print_all_bug_page) is a perf/security risk
Description	Live profiling of our server showed that 20,182 queries may be executed by the trivially achieved operation of printing out from "view all issues" when there's no filter. This was an intensive 40 second web request. There needs to be some kind of control of this. I'd suggest implementing a maximum printable issues feature, that is controlled by access level. If set to zero for an access level then there would be no print button at all. The default config would set it 0 for guests to stop spiders hitting it.
Tags	No tags attached.

ChrisG 2019-02-19 15:21 reporter ~0061522	This is related to 0004798.

c_schmitz 2020-06-04 10:03 reporter ~0064063	I second this is an issue. This alllows for a simple DDOS attack on Mantis instances that have a big number of bugs.

dregad 2022-05-12 11:27 developer ~0066569	I agree that this is a risk, and in fact this very instance of MantisBT has been hit by DOS attacks leveraging print_all_bug_page_word.php sevaral times in the past, which sometimes ended up killing the database server. Please see 0022224 and the related PR which I just rebased and tested; the approach is slightly different from what @ChrisG suggested in this issue's description, i.e. implement a simple threshold restricting access to the export and print functions instead of defining a maximum number of printable issues, but I believe this should be sufficient to do the job. @ChrisG, @c_schmitz If you agree, then this issue will be closed when PR https://github.com/mantisbt/mantisbt/pull/1810 gets merged (nothing for you to do). If on the other hand you feel that a solution with a maximum number of issues is needed, then please say so and I'll leave it open (but no promises as for when it would be implemented).

ChrisG 2022-05-12 20:20 reporter ~0066573	Thanks. The simple approach works for me, I don't see a real need for the granularity I mentioned. The typical tracker user doesn't need to export and print anything. This can be closed as far as I'm concerned.

c_schmitz 2022-05-13 01:49 reporter ~0066575	That works for me, too. Thank you!

dregad 2022-05-13 04:32 developer ~0066577	Great, thanks both for the feedback. And for the record, I'm re-qualifying this from printing feature to security issue, given the confirmed potential for DOS attacks.

MantisBT: master 20cd415e 2022-05-16 08:51 dregad Committer: community Details Diff	Restrict access to Export and Print Reports Adds 2 new config options to control access restrictions to these View Issues page functionalities: - CSV/Excel Export ($g_export_issues_threshold) - Print Reports ($g_print_reports_threshold) The default value for print_reports_threshold is UPDATER, to reduce the risk of denial of service attacks overloading the server via multiple concurrent executions of print_all_bug_page_word.php. This changes from earlier behavior, where access to this function was not restricted. Fixes 0022224, 0025492, PR https://github.com/mantisbt/mantisbt/pull/1810		Affected Issues 0022224, 0025492
	mod - config_defaults_inc.php		Diff File
	mod - css/default.css		Diff File
	mod - csv_export.php		Diff File
	mod - docbook/Admin_Guide/en-US/config/misc.xml		Diff File
	mod - excel_xml_export.php		Diff File
	mod - lang/strings_english.txt		Diff File
	mod - manage_config_work_threshold_page.php		Diff File
	mod - manage_config_work_threshold_set.php		Diff File
	mod - print_all_bug_page.php		Diff File
	mod - print_all_bug_page_word.php		Diff File
	mod - view_all_inc.php		Diff File