[Mantis Advisory/2002-06] Private bugs accessible in Mantis
0. Table of Contents
1. Introduction
2. Summary / Impact analysis
3. Affected versions
4. Workaround / Solution
5. Proof of Vulnerability
6. Credit
7. Contact details
1. Introduction
Mantis is an Open Source web-based bugtracking system, written in PHP, which
uses the MySQL database server. It is being actively developed by a small
group of developers, and is considered to be in the beta stage.
2. Summary / Impact analysis
There are several locations where all information about a bug is listed:
- View Bug (simple and advanced)
- Update Bug (simple and advanced)
None of these locations checked whether a user was allowed to see a bug.
This allowed any user to see an arbitrary bug by entering the bug ID in the
URL or in the 'Jump'-box. The user has to know the bug ID but this is not
difficult to come by as the bug ID is an autoincrementing number.
Mantis 0.17.5 adds code to the four locations listed above, which checks
whether the user has the appropriate permissions.
3. Affected versions
The following versions are known to be affected:
Mantis 0.17.4a
Mantis 0.17.4
Mantis 0.17.3
The following versions are known to be unaffected:
Mantis 0.17.5
The following versions are suspected to be affected:
Any version below Mantis 0.17.3
4. Workaround / Solution
Mantis 0.17.5 adds appropriate permissions checks. All users are urged to
upgrade to this version as soon as possible.
If an upgrade is not possible, the following patch (against Mantis 0.17.4a)
will close the vulnerability:
diff -u -r mantis-0.17.4a/bug_update_advanced_page.php
mantis-0.17.5/bug_update_advanced_page.php
--- mantis-0.17.4a/bug_update_advanced_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_advanced_page.php Fri Aug 23 11:55:52 2002
@@ -26,6 +26,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/bug_update_page.php mantis-0.17.5/bug_update_page.php
--- mantis-0.17.4a/bug_update_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_page.php Fri Aug 23 11:56:06 2002
@@ -27,6 +27,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/core_user_API.php mantis-0.17.5/core_user_API.php
--- mantis-0.17.4a/core_user_API.php Sun Aug 18 08:57:20 2002
+++ mantis-0.17.5/core_user_API.php Fri Aug 23 11:52:43 2002
@@ -577,6 +577,23 @@
}
}
# --------------------
+ # check to see if the current user has access to the specified bug.
This assumes that the bug exists and
+ # that the user has access to the project (check_bug_exists() and
project_access_check()).
+ function access_bug_check( $p_bug_id, $p_view_state='' ) {
+ global $g_private_bug_threshold;
+
+ if ( empty ( $p_view_state ) ) {
+ $t_view_state = get_bug_field( $p_bug_id,
'view_state' );
+ } else {
+ $t_view_state = (integer)$p_view_state;
+ }
+
+ # Make sure if the bug is private, the logged in user has
access to it.
+ if ( ( $t_view_state == PRIVATE ) &&
!access_level_check_greater_or_equal( $g_private_bug_threshold ) ) {
+ print_header_redirect( 'logout_page.php' );
+ }
+ }
+ # --------------------
###########################################################################
# User Information API
###########################################################################
diff -u -r mantis-0.17.4a/view_bug_advanced_page.php
mantis-0.17.5/view_bug_advanced_page.php
--- mantis-0.17.4a/view_bug_advanced_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_advanced_page.php Fri Aug 23 11:56:29 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/view_bug_page.php mantis-0.17.5/view_bug_page.php
--- mantis-0.17.4a/view_bug_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_page.php Fri Aug 23 11:57:00 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = "SELECT *
FROM $g_mantis_bug_text_table
5. Proof of Vulnerability
The easiest way to confirm this vulnerability is by logging on to your
Mantis installation with a low-priviledge user and enter the bug ID of a bug
that should not be readable by that user in the 'Jump' box.
Older versions without a 'Jump' box can be exploited by changing the f_id
parameter to view_bug_page.php, view_bug_advanced_page.php,
bug_update_page.php or bug_update_advanced_page.php.
6. Credit
This vulnerability was reported anonymously through our Bug Tracking System.
7. Contact details
The latest version of Mantis is always available from:
http://mantisbt.sourceforge.net/
The current version is 0.17.5, which can be downloaded from
http://mantisbt.sourceforge.net/download.php3
If you have any questions about this vulnerability, or wish to report
another, you can contact the developers at:
mantisbt-security@lists.sourceforge.net
This is a private mailinglist, readable only by a few developers.
The latest version of this and other advisories can be found at:
http://mantisbt.sourceforge.net/security.php3
