View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0036502mantisbtsecuritypublic2025-10-15 20:202025-11-01 07:49
Reporterd3vpoo1 Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Target Version2.27.2Fixed in Version2.27.2 
Summary0036502: CVE-2025-62520: Ability to copy private project configurations (Columns)
Description

Hi Dregad and team,

It’s been a while.

For this issue, I observed that after setting up a private project and two different roles (Manager and Admin), a Manager without access to the private project can still copy the configuration from the Manage Columns tab.

Steps To Reproduce
  1. As an Admin, create one private project and one or two public projects.
  2. Navigate to http://localhost/mantisbt/manage_config_columns_page.php and modify any column.
  3. Create a Manager role.
  4. Log in as the Manager role.
  5. Navigate to http://localhost/mantisbt/manage_config_columns_page.php.
  6. Open Burp Suite.
  7. Select a project from the dropdown and click the Copy Columns From button.
  8. This will call the /mantisbt/manage_columns_copy.php endpoint.
  9. Modify the other_project_id value and use the ID of the private project.
  10. Submit the crafted request.
  11. Observe that it copies the columns from the private project.
Additional Information

MantisBT Version = 2.27.1

GitHub security advisory GHSA-g582-8vwr-68h2

TagsNo tags attached.
Attached Files
image.png (158,318 bytes)   
image.png (158,318 bytes)   
image-2.png (123,055 bytes)   
image-2.png (123,055 bytes)   
image-3.png (65,340 bytes)   
image-3.png (65,340 bytes)   
image-4.png (123,869 bytes)   
image-4.png (123,869 bytes)   
image-5.png (67,141 bytes)   
image-5.png (67,141 bytes)   
image-6.png (68,200 bytes)   
image-6.png (68,200 bytes)   
image-7.png (161,352 bytes)   
image-7.png (161,352 bytes)   

Relationships

Relationship GraphDependency Graph
related to 0009050 closedvboctor Add support for "Copy Columns From/To" when customizing columns to view in View Issues, Print Issues, CSV, Excel 
related to 0036515 closeddregad Hardcoded role instead of config in access level check on Manage Columns page 

Activities

atrol

atrol

2025-10-16 03:50

developer   ~0070566

fix-36502.patch (1,042 bytes)    
From d0f4e150d0b47a3ef9d2ec66db5c1083b31bb574 Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Thu, 16 Oct 2025 09:40:23 +0200
Subject: [PATCH] Add access check when copying column settings

Fixes #36502
---
 manage_columns_copy.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/manage_columns_copy.php b/manage_columns_copy.php
index f6d0d740b..cec694954 100644
--- a/manage_columns_copy.php
+++ b/manage_columns_copy.php
@@ -75,6 +75,11 @@ if( $f_manage_page && $t_dst_project_id != ALL_PROJECTS ) {
 	access_ensure_project_level( MANAGER, $t_dst_project_id );
 }
 
+# only MANAGERS can read global defaults of a project
+if( $f_manage_page && $t_src_project_id != ALL_PROJECTS ) {
+	access_ensure_project_level( MANAGER, $t_src_project_id );
+}
+
 # user should only be able to set columns for a project that is accessible.
 if( $t_dst_project_id != ALL_PROJECTS ) {
 	access_ensure_project_level( config_get( 'view_bug_threshold', null, null, $t_dst_project_id ), $t_dst_project_id );
-- 
2.45.1.windows.1
fix-36502.patch (1,042 bytes)   
atrol

atrol

2025-10-16 03:54

developer   ~0070567

@d3vpoo1 thanks for reporting
@dregad attached patch should fix the issue. I don't have time for the administrative overhead (CVE ...) that might be needed for that.
d3vpoo1

d3vpoo1

2025-10-16 07:27

reporter   ~0070569

Last edited: 2025-10-16 07:27

Thanks @atrol

btw I'm planning to test the application until October 30. I just have a question, I also noticed that I can modify the default project of other user however this default project will only visible to admin side but it cant be seen by user, should I also consider it as security issue?
dregad

dregad

2025-10-17 06:17

developer   ~0070570

Last edited: 2025-10-17 06:19

I can modify the default project of other user however this default project will only visible to admin side but it cant be seen by user, should I also consider it as security issue?

It should not be possible to alter someone else's data so I would say yes.

Please open a separate Issue for tracking, though.
EDIT: seems you already did 0036503

@atrol thanks for the patch, I'll have a look and take care of the rest - I have some days off next week so hopefully can devote some time to Mantis.
dregad

dregad

2025-10-19 20:22

developer   ~0070572

Actions taken:

As mentioned in the PR: shouldn't we call config_get( '$manage_project_threshold', null, null, $t_src_project_id ) instead of hardcoding MANAGER for the access check ?
d3vpoo1

d3vpoo1

2025-10-19 21:27

reporter   ~0070573

Last edited: 2025-10-19 21:32

Hi @dregad and team,
As per checking, the patch didn’t fix the issue. I can still copy the configuration of a private project.

image-10.png (109,869 bytes)   
image-10.png (109,869 bytes)   
image-11.png (57,699 bytes)   
image-11.png (57,699 bytes)   
image-9.png (64,915 bytes)   
image-9.png (64,915 bytes)   
image-8.png (64,928 bytes)   
image-8.png (64,928 bytes)   
dregad

dregad

2025-10-20 06:01

developer   ~0070574

Hello @d3vpoo1, it works for me, see below...

Could you please double check your testing environment, in particular make sure that you are running the code from the PR (commit edf6567e69a88b7eafba6481fa43575692d53ec7).

$ git co master-2.27
Switched to branch 'master-2.27'
Your branch is up to date with 'origin/master-2.27'.

$ curl -X POST -I -L "http://127.0.0.1/mantis/manage_columns_copy.php?project_id=131&manage_page=1&other_project_id=415&copy_from=Copy%2BColumns%2BFrom" \
    -H "Cookie: MANTIS_2271_STRING_COOKIE=xxx"
HTTP/1.1 302 Found
[...snip...]

HTTP/1.1 200 OK
[...snip...]

$ git co sec-i36502-columns-copy-from
Switched to branch 'sec-i36502-columns-copy-from'
Your branch is up to date with 'ghsa-g582-8vwr-68h2/sec-i36502-columns-copy-from'.

$ curl -X POST -I -L "http://127.0.0.1/mantis/manage_columns_copy.php?project_id=131&manage_page=1&other_project_id=415&copy_from=Copy%2BColumns%2BFrom" \
    -H "Cookie: MANTIS_2271_STRING_COOKIE=xxxx"
HTTP/1.1 403 Forbidden
[...snip...]

Testing Notes:

  • Logged in as user with MANAGER role
  • 415 is a private project the user does not have access to
  • Set $g_form_security_validation = OFF; to avoid having to deal with security tokens.
  • 403 return code from access denied page is new, see 0036512 (I just rebased the PR so it includes that fix)
d3vpoo1

d3vpoo1

2025-10-20 11:26

reporter   ~0070582

Hi @dregad and team,

Confirmed. It now returns “Access Denied”

image-12.png (19,350 bytes)   
image-12.png (19,350 bytes)   
dregad

dregad

2025-10-20 12:08

developer   ~0070586

Great, thanks for confirming.
dregad

dregad

2025-10-21 04:05

developer   ~0070589

CVE-2025-62520 assigned.

Related Changesets

MantisBT: master-2.27 4fe94f45

2025-10-16 03:40

atrol

Committer: dregad


Details Diff		 Add access check when copying column settings

Fixes 0036502, CVE-2025-62520, GHSA-g582-8vwr-68h2

Signed-off-by: Damien Regad <dregad@mantisbt.org>		 Affected Issues
0036502
mod - manage_columns_copy.php Diff File