2002-06 Private bugs accessible in Mantis

Mantis Manual

2002-06 Private bugs accessible in Mantis
Last Modified: December 23, 2006 04:12AM

(Up to Mantis 0.17.3)

Description

0. Table of Contents

1. Introduction
2. Summary / Impact analysis
3. Affected versions
4. Workaround / Solution
5. Proof of Vulnerability
6. Credit
7. Contact details

1. Introduction

Mantis is an Open Source web-based bugtracking system, written in PHP, which
uses the MySQL database server. It is being actively developed by a small
group of developers, and is considered to be in the beta stage.

2. Summary / Impact analysis

There are several locations where all information about a bug is listed:
- View Bug (simple and advanced)
- Update Bug (simple and advanced)

None of these locations checked whether a user was allowed to see a bug.
This allowed any user to see an arbitrary bug by entering the bug ID in the
URL or in the 'Jump'-box. The user has to know the bug ID but this is not
difficult to come by as the bug ID is an autoincrementing number.

Mantis 0.17.5 adds code to the four locations listed above, which checks
whether the user has the appropriate permissions.

3. Affected versions

The following versions are known to be affected:
Mantis 0.17.4a
Mantis 0.17.4
Mantis 0.17.3

The following versions are known to be unaffected:
Mantis 0.17.5

The following versions are suspected to be affected:
Any version below Mantis 0.17.3

4. Workaround / Solution

Mantis 0.17.5 adds appropriate permissions checks. All users are urged to
upgrade to this version as soon as possible.

If an upgrade is not possible, the following patch (against Mantis 0.17.4a)
will close the vulnerability:

diff -u -r mantis-0.17.4a/bug_update_advanced_page.php mantis-0.17.5/bug_update_advanced_page.php

--- mantis-0.17.4a/bug_update_advanced_page.php Mon May 20 03:34:20 2002 +++ mantis-0.17.5/bug_update_advanced_page.php Fri Aug 23 11:55:52 2002 @@ -26,6 +26,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table diff -u -r mantis-0.17.4a/bug_update_page.php mantis-0.17.5/bug_update_page.php --- mantis-0.17.4a/bug_update_page.php Mon May 20 03:34:20 2002 +++ mantis-0.17.5/bug_update_page.php Fri Aug 23 11:56:06 2002 @@ -27,6 +27,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table diff -u -r mantis-0.17.4a/core_user_API.php mantis-0.17.5/core_user_API.php --- mantis-0.17.4a/core_user_API.php Sun Aug 18 08:57:20 2002 +++ mantis-0.17.5/core_user_API.php Fri Aug 23 11:52:43 2002 @@ -577,6 +577,23 @@ } } # -------------------- + # check to see if the current user has access to the specified bug. This assumes that the bug exists and + # that the user has access to the project (check_bug_exists() and project_access_check()). + function access_bug_check( $p_bug_id, $p_view_state='' ) { + global $g_private_bug_threshold; + + if ( empty ( $p_view_state ) ) { + $t_view_state = get_bug_field( $p_bug_id, 'view_state' ); + } else { + $t_view_state = (integer)$p_view_state; + } + + # Make sure if the bug is private, the logged in user has access to it. + if ( ( $t_view_state == PRIVATE ) && !access_level_check_greater_or_equal( $g_private_bug_threshold ) ) { + print_header_redirect( 'logout_page.php' ); + } + } + # -------------------- ########################################################################### # User Information API ########################################################################### diff -u -r mantis-0.17.4a/view_bug_advanced_page.php mantis-0.17.5/view_bug_advanced_page.php --- mantis-0.17.4a/view_bug_advanced_page.php Mon May 20 03:34:21 2002 +++ mantis-0.17.5/view_bug_advanced_page.php Fri Aug 23 11:56:29 2002 @@ -22,6 +22,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table diff -u -r mantis-0.17.4a/view_bug_page.php mantis-0.17.5/view_bug_page.php --- mantis-0.17.4a/view_bug_page.php Mon May 20 03:34:21 2002 +++ mantis-0.17.5/view_bug_page.php Fri Aug 23 11:57:00 2002 @@ -22,6 +22,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table

5. Proof of Vulnerability

The easiest way to confirm this vulnerability is by logging on to your
Mantis installation with a low-priviledge user and enter the bug ID of a bug
that should not be readable by that user in the 'Jump' box.

Older versions without a 'Jump' box can be exploited by changing the f_id
parameter to view_bug_page.php, view_bug_advanced_page.php,
bug_update_page.php or bug_update_advanced_page.php.

6. Credit

This vulnerability was reported anonymously through our Bug Tracking System.

7. Contact details
The latest version of Mantis is always available from:
http://www.mantisbt.org/
The current version is 1.0.6, which can be downloaded from
http://www.mantisbt.org/download.php

If you have any questions about this vulnerability, or wish to report
another, you can contact report it as a private issue on:
http://www.mantisbt.org/bugs/

The latest version of this and other advisories can be found at:
http://www.mantisbt.org/manual/

User Contributed Notes
2002-06 Private bugs accessible in Mantis

There are no user contributed notes for this page.

Last updated: Fri, 21 Nov 2008 - 17:25:24