MantisBT: master 1fbcd9bc

Author Committer Branch Timestamp Parent
dregad dregad master 2018-04-25 08:31 master-2.13 88913cb3
Affected Issues  0024221: CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality
Changeset

Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

@atrol noted that the same vulnerability also existed in bug_report.php,
although in this case the information disclosure is limited to notes and
attachments (issue data itself does not become accessible).

Added an access level check, so that the operation now fails with an
Access Denied error in both cases.

Fixes 0024221, CVE-2018-9839
Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Added an access level check, so that the operation now fails with an
Access Denied error.

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

Fixes 0024221

mod - bug_report.php Diff File
mod - bug_report_page.php Diff File