View Issue Details

IDProjectCategoryView StatusLast Update
0034437mantisbtsecuritypublic2024-05-13 02:13
Reportersud0ku Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionunable to reproduce 
Product Version2.26.1 
Summary0034437: Broken Access Control: Any user can upload files into another user's issue when attaching files to Add Note feature.
Description

Broken Access Control was found on:
endpoint: /bugnote_add.php [bug_id]
impact: It is possible to upload any documents into another user's issue when attaching files to "Add Note" feature.

Steps To Reproduce

steps to reproduce the issue:

  1. Login as reporter user > create an issue.
  2. view or open the created issue, upload any files (make sure to not input anything in Note field otherwise the POC will failed) > intercept the request using proxy tools like burpsuite.
  3. change the "bug_id" parameter value into another user's issue (let's assume this another user has issue number 2027).
  4. send the request, and you will see the uploaded file will appear in another user's issue.
Additional Information

For CVE Handling:
Name: Zulfi Al-Farizi
email: alzee3307@gmail.com

TagsNo tags attached.

Activities

dregad

dregad

2024-05-08 11:12

developer   ~0068918

Last edited: 2024-05-08 11:13

Thanks for the bug report.

Following your instructions, I tried to replicate the problem with the following scenarios, trying to add attachment:

  • to public issue in private project that attacker does not have access to => access denied
  • to private issue in public project, with attacker not allowed to view private issues => access denied
  • to public issue reported by another user, with $g_limit_reporters = ON => access denied
  • to public issue => OK (but this is expected IMO, as it is just like the attacker submitted the attachment while viewing the other issue)

Based on this analysis, I fail to see broken access control - as far as I can tell, required authorization checks are in place . Am I missing something ? Please clarify.

sud0ku

sud0ku

2024-05-08 14:11

reporter   ~0068919

I just realized that in this latest version, the request now has a "bugnote_add_token" parameter when uploading attachments, which is slightly different from my screenshots. As you can see in my attachment above, both the "attacker" and the "victim" have private issues on both sides. Probably the issue is in another version. I will recheck this issue again or you can mark this issue as false positive.

dregad

dregad

2024-05-08 19:03

developer   ~0068921

in this latest version

Not sure what "latest version" you are referring to. You reported against 2.26.1, which is the latest official release; I ran my tests against master-2.26 branch HEAD.

the request now has a "bugnote_add_token" parameter when uploading attachments

There is no such parameter anywhere in the code base. Are you using customized MantisBT code or plugins ?

Waiting for your feedback to decide on what to do with this Issue; please make sure you provide a test case that can be reproduced from a fresh install and include any relevant configuration.

dregad

dregad

2024-05-10 11:52

developer   ~0068926

@sud0ku did you get a chance to re-test ? I would appreciate an update quickly, as I'm currently holding the 2.26.2 release for this.

Without feedback from you by tomorrow, I'll mark this Issue as unable to reproduce and close it.

sud0ku

sud0ku

2024-05-10 20:44

reporter   ~0068927

Hi, apologies for the delayed response. I've spent several days testing it locally but haven't been able to reproduce the issue. I'm sorry for any inconvenience. Feel free to close this issue.

dregad

dregad

2024-05-12 06:13

developer   ~0068928

Thanks for the feedback. If you manage to reproduce at a later time, feel free to reopen the issue.