0034437: Broken Access Control: Any user can upload files into another user's issue when attaching files to Add Note feature.

ID	Project	Category	View Status	Date Submitted	Last Update
0034437	mantisbt	security	public	2024-05-07 09:32	2024-06-09 11:09

Reporter	sud0ku	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	unable to reproduce
Product Version	2.26.1

Summary	0034437: Broken Access Control: Any user can upload files into another user's issue when attaching files to Add Note feature.
Description	Broken Access Control was found on: endpoint: /bugnote_add.php [bug_id] impact: It is possible to upload any documents into another user's issue when attaching files to "Add Note" feature.
Steps To Reproduce	steps to reproduce the issue: Login as reporter user > create an issue. view or open the created issue, upload any files (make sure to not input anything in Note field otherwise the POC will failed) > intercept the request using proxy tools like burpsuite. change the "bug_id" parameter value into another user's issue (let's assume this another user has issue number 2027). send the request, and you will see the uploaded file will appear in another user's issue.
Additional Information	For CVE Handling: Name: Zulfi Al-Farizi email: alzee3307@gmail.com
Tags	No tags attached.

dregad 2024-05-08 11:12 developer ~0068918 Last edited: 2024-05-08 11:13	Thanks for the bug report. Following your instructions, I tried to replicate the problem with the following scenarios, trying to add attachment: to public issue in private project that attacker does not have access to => access denied to private issue in public project, with attacker not allowed to view private issues => access denied to public issue reported by another user, with `$g_limit_reporters = ON` => access denied to public issue => OK (but this is expected IMO, as it is just like the attacker submitted the attachment while viewing the other issue) Based on this analysis, I fail to see broken access control - as far as I can tell, required authorization checks are in place . Am I missing something ? Please clarify.

sud0ku 2024-05-08 14:11 reporter ~0068919	I just realized that in this latest version, the request now has a "bugnote_add_token" parameter when uploading attachments, which is slightly different from my screenshots. As you can see in my attachment above, both the "attacker" and the "victim" have private issues on both sides. Probably the issue is in another version. I will recheck this issue again or you can mark this issue as false positive.

dregad 2024-05-08 19:03 developer ~0068921	in this latest version Not sure what "latest version" you are referring to. You reported against 2.26.1, which is the latest official release; I ran my tests against master-2.26 branch HEAD. the request now has a "bugnote_add_token" parameter when uploading attachments There is no such parameter anywhere in the code base. Are you using customized MantisBT code or plugins ? Waiting for your feedback to decide on what to do with this Issue; please make sure you provide a test case that can be reproduced from a fresh install and include any relevant configuration.

dregad 2024-05-10 11:52 developer ~0068926	@sud0ku did you get a chance to re-test ? I would appreciate an update quickly, as I'm currently holding the 2.26.2 release for this. Without feedback from you by tomorrow, I'll mark this Issue as unable to reproduce and close it.

sud0ku 2024-05-10 20:44 reporter ~0068927	Hi, apologies for the delayed response. I've spent several days testing it locally but haven't been able to reproduce the issue. I'm sorry for any inconvenience. Feel free to close this issue.

dregad 2024-05-12 06:13 developer ~0068928	Thanks for the feedback. If you manage to reproduce at a later time, feel free to reopen the issue.

View Issue Details

Activities