View Issue Details

IDProjectCategoryView StatusLast Update
0027262mantisbtsecuritypublic2020-12-30 08:33
Reporterd3vpoo1 Assigned Todregad  
Status closedResolutionduplicate 
PlatformWindowsOSWindowsOS VersionWindows 10
Product Version2.24.2 
Summary0027262: Private files can be downloaded by attacker

Though this issue seems to be a functionality, the attacker can abuse this and view/download the private files due to guessable id (increment_id)

Steps To Reproduce
  1. Create an admin account

  2. Go to notes and upload an image with it (make sure the image/file is private)

  3. As attacker(reporter account) go to http://localhost/mantisbt2/file_download.php?file_id=<FUZZ_ID>&type=bug where the FUZZ_ID is the id of the private file

  4. The attacker successfully download other files + the private files

Additional Information

I test this issue with viewer permission and it seems that it validates the endpoint..

TagsNo tags attached.


duplicate of 0027039 closeddregad CVE-2020-25781: Access to private bug note attachments 




2020-09-08 22:50


admin_private_file.png (7,020 bytes)   
admin_private_file.png (7,020 bytes)   
reporter_download.png (23,070 bytes)   
reporter_download.png (23,070 bytes)   
viewer.png (14,080 bytes)   
viewer.png (14,080 bytes)   


2020-09-09 04:12

developer   ~0064386

Thanks for your report. This issue has been reported previously (0027039) but as the issue is private you do not currently have access to it.
I'm resolving this as duplicate.