security and numeric issue hyperlinks bug

[dev1]

I searched the change log and forums but was unable to find if the security issues with cross-references has been fixed.

Here is what I mean. Perhaps you have 2 private projects. Different people are allowed to access these project and they are not supposed to know what is going on in the other project. Now, you create a new issue or just enter comments in an existing issue and type something like "See issue #123 for details" or just "call me at #123 465 1212"

Mantis converts such numeric references to hyperlinks, but issue #123 is accidentally in the other project. You can now click on the hyperlink and see that other issue. Moreover, from the issue numbers and gaps in numbers, you can easily figure out when an issue is created in the other project and easily see it by creating a note for yourself with a manually entered reference.

Another case, you add "related" link and manually type issue in another project. Mantis again doesn't mind, but you can make a mistake or on purpose enter issue in another project. Now everyone can see that other issue.

Have these security issues been fixed? If yes, in which release?

Thanks
Dev.

We are still running 1.0.8

[vboctor]

At the moment, when creating a hyperlink to a bug, there is a check that the bug exists, there is no check that it is accessible to the current user. Hence, we need to add such check to fix this issue. Can you please report an issue in the bug tracker for this. This should qualify for fixing in both 1.1.x and 1.2.x branches.

[dev1]

I cannot add anything to the tracker as I don't have an account for that. My forum's account is not working for the tracker.

***
I'm really surprised that nobody reported this critical security issue earlier. It seems to be right on the surface. As soon you as you create more than one project and accidentally type any number prefixed with # sign you should see it right away. Once you get more that 5 private projects setup and start using them, you should stumble upon this issue many times every day. This is a very very big security problem for us. We started using Mantis for client support and for us this is a real showstopper. Clients can see issues that belong to other clients and these other client issues can have private info and data attached including data for which we signed NDA agreements.

Please help me get this issue into the tracker and get it fixed as soon as possible,.

[dev1]

Just so you understand how serious this is. Using this weird feature with in-line hyperlinks, one can easily see and download the entire tracker database. Using Excel, create 1 column worksheet with number 1 in the first cell and formula like ="#" & STR(A1+1) in the second cell, copy and paste it into 1000 more cells, and then paste them all into a single bug note. Viola, you can now see first 1000 issues, no matter what kind of access you have to the system, In case you want to see next thousand issues? just change the formula.

[vboctor]

The account on the forum doesn't work on the tracker. You need a separate account on the tracker. I recommend you do that so that you can monitor the changes on the issue as you submit it. Once the issue is fixed, I will submit a patch for you to patch your installation.

I am assuming that the disclosed information is the issue summary and status, right?

[vboctor]

Here is the fix. Try it out and let me know the results:

Code: Select all

Modified: branches/BRANCH_1_1_0/mantisbt/core/string_api.php
===================================================================
--- branches/BRANCH_1_1_0/mantisbt/core/string_api.php  2008-07-01 04:05:38 UTC (rev 5383)
+++ branches/BRANCH_1_1_0/mantisbt/core/string_api.php  2008-07-01 04:12:46 UTC (rev 5384)
@@ -306,7 +306,7 @@
               if ( !isset( $string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] ) ) {
                       if ($p_include_anchor) {
                               $string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] = create_function('$p_array','
-                                                                               if (bug_exists( (int)$p_array[2] ) ) {
+                                                                               if ( bug_exists( (int)$p_array[2] ) && access_has_bug_level( VIEWER, (int)$p_array[2] ) ) {
                                                                                       return $p_array[1] . string_get_bug_view_link( (int)$p_array[2], null, ' . ($p_detail_info ? 'true' : 'false') . ', ' . ($p_fqdn ? 'true' : 'false') . ');
                                                                               } else {
                                                                                       return $p_array[0];

[mzenns]

The fix didn't work

[facklera]

How to add a hyperlink in a Word document and not see the words hyperlink? I know how to insert a hyperlink, but it keeps saying hyperlink and then I can't click it to go to the web address I have typed in. Any help would be appreciated. Thanks in advance.