View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009321 | mantisbt | security | public | 2008-07-01 00:03 | 2008-10-23 09:59 |
Reporter | vboctor | Assigned To | vboctor | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.2 | ||||
Target Version | 1.1.3 | Fixed in Version | 1.1.3 | ||
Summary | 0009321: Users can get title and status of issues that they don't have access to. | ||||
Description | If the user reference an issue via (# issue number), the issue is converted the hyperlink if the issue exists. However, no verification is done to make sure that the issue is accessible by the current user. | ||||
Tags | No tags attached. | ||||
parent of | 0009322 | closed | vboctor | Port of 0009321: Users can get title and status of issues that they don't have access to. |
has duplicate | 0009824 | closed | giallu | unauthorized access to issue details |
related to | 0009252 | closed | grangeway | Numeric link to issues tells title and status even if logged in user is not authorized |
Fixed via svn:5384 |
|
I had recently tested a similar fix for the problem. However, my solution was to change string_get_bug_view_link() to only post the bug's summary if the user had access, but to still hyperlink it otherwise, in order to allow anonymous/unlogged users to click the buglink, and then log in to see the bug. It would also still allow the user to see the the bug's status, regardless of access level, although that could easily be changed. I think this could be a better solution to the problem than to not hyperlink the bug at all. |
|
This is now CVE-2008-4688 |
|