|
Mantis Unauthorized Bug Viewing Vulnerability
Solution: The vendor has released the following patch for users of mantis 0.17.4a: diff -u -r mantis-0.17.4a/bug_update_advanced_page.php mantis-0.17.5/bug_update_advanced_page.php --- mantis-0.17.4a/bug_update_advanced_page.php Mon May 20 03:34:20 2002 +++ mantis-0.17.5/bug_update_advanced_page.php Fri Aug 23 11:55:52 2002 @@ -26,6 +26,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table diff -u -r mantis-0.17.4a/bug_update_page.php mantis-0.17.5/bug_update_page.php --- mantis-0.17.4a/bug_update_page.php Mon May 20 03:34:20 2002 +++ mantis-0.17.5/bug_update_page.php Fri Aug 23 11:56:06 2002 @@ -27,6 +27,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table diff -u -r mantis-0.17.4a/core_user_API.php mantis-0.17.5/core_user_API.php --- mantis-0.17.4a/core_user_API.php Sun Aug 18 08:57:20 2002 +++ mantis-0.17.5/core_user_API.php Fri Aug 23 11:52:43 2002 @@ -577,6 +577,23 @@ } } # -------------------- + # check to see if the current user has access to the specified bug. This assumes that the bug exists and + # that the user has access to the project (check_bug_exists() and project_access_check()). + function access_bug_check( $p_bug_id, $p_view_state='' ) { + global $g_private_bug_threshold; + + if ( empty ( $p_view_state ) ) { + $t_view_state = get_bug_field( $p_bug_id, 'view_state' ); + } else { + $t_view_state = (integer)$p_view_state; + } + + # Make sure if the bug is private, the logged in user has access to it. + if ( ( $t_view_state == PRIVATE ) && !access_level_check_greater_or_equal( $g_private_bug_threshold ) ) { + print_header_redirect( 'logout_page.php' ); + } + } + # -------------------- ########################################################################### # User Information API ########################################################################### diff -u -r mantis-0.17.4a/view_bug_advanced_page.php mantis-0.17.5/view_bug_advanced_page.php --- mantis-0.17.4a/view_bug_advanced_page.php Mon May 20 03:34:21 2002 +++ mantis-0.17.5/view_bug_advanced_page.php Fri Aug 23 11:56:29 2002 @@ -22,6 +22,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table diff -u -r mantis-0.17.4a/view_bug_page.php mantis-0.17.5/view_bug_page.php --- mantis-0.17.4a/view_bug_page.php Mon May 20 03:34:21 2002 +++ mantis-0.17.5/view_bug_page.php Fri Aug 23 11:57:00 2002 @@ -22,6 +22,9 @@ $result = db_query( $query ); $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, "v" ); + + # if bug is private, make sure user can view private bugs + access_bug_check( $f_id, $v_view_state ); $query = "SELECT * FROM $g_mantis_bug_text_table An updated version is available: Mantis Mantis 0.17 .0
Mantis Mantis 0.17.1
Mantis Mantis 0.17.2
Mantis Mantis 0.17.3
Mantis Mantis 0.17.4 a
Mantis Mantis 0.17.4
|
|
 Privacy Statement |
