• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Mantis Unauthorized Project Bug List Viewing Vulnerability

Mantis is prone to an issue which may allow malicious users of the bug tracking system to gain unauthorized access to restricted projects.

Vulnerable versions of Mantis do not adequately check that a user has access to projects. It has been reported that a malicious user may manipulate values in cookie-based authentication credentials to gain unauthorized viewing rights to bugs in other projects. However, exploitation of this issue is limited to gaining a listing of 'Public' bugs in other projects.

This issue was reported in Mantis 0.17.3. Earlier versions are also believed to be affected.