View Issue Details

IDProjectCategoryView StatusLast Update
0007743mantisbtsecuritypublic2007-05-08 03:42
Reportergiallu Assigned Tovboctor  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.0.6 
Target Version1.0.7Fixed in Version1.0.7 
Summary0007743: Port: CVE-2006-6574
Description

Mantis before 1.1.0a2 does not implement per-item access control for Issue
History (Bug History), which allows remote attackers to obtain sensitive
information by reading the Change column, as demonstrated by the Change column
of a custom field.

TagsNo tags attached.
Attached Files
mantis-1.0.6-private_history.patch (3,882 bytes)   
Index: core/history_api.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/core/history_api.php,v
retrieving revision 1.34
retrieving revision 1.36
diff -U3 -r1.34 -r1.36
--- core/history_api.php	27 Aug 2005 01:15:59 -0000	1.34
+++ core/history_api.php	26 Sep 2006 01:30:57 -0000	1.36
@@ -6,7 +6,7 @@
 	# See the README and LICENSE files for details
 
 	# --------------------------------------------------------
-	# $Id: history_api.php,v 1.34 2005/08/27 01:15:59 thraxisp Exp $
+	# $Id: history_api.php,v 1.36 2006/09/26 01:30:57 thraxisp Exp $
 	# --------------------------------------------------------
 
 	### History API ###
@@ -102,12 +102,13 @@
 	# Retrieves the raw history events for the specified bug id and returns it in an array
 	# The array is indexed from 0 to N-1.  The second dimension is: 'date', 'userid', 'username',
 	# 'field','type','old_value','new_value'
-	function history_get_raw_events_array( $p_bug_id ) {
+	function history_get_raw_events_array( $p_bug_id, $p_user_id=NULL ) {
 		$t_mantis_bug_history_table	= config_get( 'mantis_bug_history_table' );
 		$t_mantis_user_table		= config_get( 'mantis_user_table' );
 		$t_history_order			= config_get( 'history_order' );
 		$c_bug_id					= db_prepare_int( $p_bug_id );
-
+		$t_user_id = (( NULL == $p_user_id) ? auth_get_current_user_id() : $p_userid);
+		
 		# grab history and display by date_modified then field_name
 		# @@@ by MASC I guess it's better by id then by field_name. When we have more history lines with the same
 		# date, it's better to respect the storing order otherwise we should risk to mix different information
@@ -122,20 +123,49 @@
 		$raw_history_count = db_num_rows( $result );
 		$raw_history = array();
 
-		for ( $i=0; $i < $raw_history_count; ++$i ) {
+		$t_private_bugnote_threshold	= config_get( 'private_bugnote_threshold' );
+		$t_private_bugnote_visible = access_has_bug_level( 
+			config_get( 'private_bugnote_threshold' ), $p_bug_id, $t_user_id );
+			
+		for ( $i=0,$j=0; $i < $raw_history_count; ++$i ) {
 			$row = db_fetch_array( $result );
 			extract( $row, EXTR_PREFIX_ALL, 'v' );
 
-			$raw_history[$i]['date']	= db_unixtimestamp( $v_date_modified );
-			$raw_history[$i]['userid']	= $v_user_id;
+			// check that the item should be visible to the user
+			// custom fields
+			$t_field_id = custom_field_get_id_from_name( $v_field_name );
+			if ( false !== $t_field_id && 
+					!custom_field_has_read_access( $t_field_id, $p_bug_id, $t_user_id ) ) {
+				continue; 
+			}
+			// bugnotes
+			if ( $t_user_id != $v_user_id ) { // bypass if user originated note
+				if ( ( $v_type == BUGNOTE_ADDED ) ||
+					( $v_type == BUGNOTE_UPDATED ) ||
+					( $v_type == BUGNOTE_DELETED ) ) {
+						if ( !$t_private_bugnote_visible && 
+							( bugnote_get_field( $v_old_value, 'view_state' ) == VS_PRIVATE ) ) {
+								continue;
+						}
+				}
+				if ( $v_type == BUGNOTE_STATE_CHANGED ) {
+					if ( !$t_private_bugnote_visible && 
+							( bugnote_get_field( $v_new_value, 'view_state' ) == VS_PRIVATE ) ) {
+						continue;
+					}
+				}
+			}
+			$raw_history[$j]['date']	= db_unixtimestamp( $v_date_modified );
+			$raw_history[$j]['userid']	= $v_user_id;
 
 			# user_get_name handles deleted users, and username vs realname
-			$raw_history[$i]['username'] = user_get_name( $v_user_id );
+			$raw_history[$j]['username'] = user_get_name( $v_user_id );
 
-			$raw_history[$i]['field']		= $v_field_name;
-			$raw_history[$i]['type']		= $v_type;
-			$raw_history[$i]['old_value']	= $v_old_value;
-			$raw_history[$i]['new_value']	= $v_new_value;
+			$raw_history[$j]['field']		= $v_field_name;
+			$raw_history[$j]['type']		= $v_type;
+			$raw_history[$j]['old_value']	= $v_old_value;
+			$raw_history[$j]['new_value']	= $v_new_value;
+			$j++;
 		} # end for loop
 
 		return $raw_history;

Relationships

related to 0003375 closedthraxisp Bughistory bypasses security on custom fields 
related to 0007364 closedthraxisp Custom field visible in history independent from user role 

Activities

giallu

giallu

2007-01-28 18:31

reporter   ~0013970

I attached the patch I am using in Fedora rpm package (extracted from your CVS).

Please consider a new release in the 1.0.x serie with the fix

vboctor

vboctor

2007-04-01 02:07

manager   ~0014293

giallu, can you please test the latest 1.0.x code in CVS and let me know if you find any issues with this fix.