View Issue Details

IDProjectCategoryView StatusLast Update
0027268mantisbtsecuritypublic2020-11-05 11:33
Reporterd3vpoo1 Assigned Todregad  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows 10
Target Version2.24.3Fixed in Version2.24.3 
Summary0027268: Admin can get issues assigned to users not allowed to handle them
Description

The endpoint : http://<HOST>/manage_proj_cat_edit_page.php?id=1&project_id=1 allows the admin to set the "assigned" to non-admin/non manager via assigned_to parameter

Steps To Reproduce
  1. Login as your admin account
  2. Go to manage > manage projects
  3. Open your intercept
  4. Select any member on select input

Request :

POST /mantisbt2/manage_proj_cat_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_proj_cat_edit_page.php?id=1&project_id=1
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_secure_session=0; MANTIS_BUG_LIST_COOKIE=4; PHPSESSID=h4478kp8q2d69eg6e13pjo0hfe; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896
Upgrade-Insecure-Requests: 1

manage_proj_cat_update_token=<SOME-TOKEN>&project_id=1&category_id=1&name=General&assigned_to=<VULNERABLE>

Response :

HTTP/1.1 200 OK
Date: Thu, 10 Sep 2020 00:38:17 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Thu, 10 Sep 2020 00:38:17 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Thu, 10 Sep 2020 00:38:17 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10006
Connection: close
Content-Type: text/html; charset=UTF-8

EDIT (dregad): Moved HTML of success page to attachment.

  1. Edit the assigned_to=<VULNERABLE> (I try to set this to viewer and this works)
  2. Refresh the site and viewer now become assigned to the stuffs
Additional Information

In images the default selection are just admin/manager

TagsNo tags attached.

Activities

d3vpoo1

d3vpoo1

2020-09-09 20:43

reporter  

default.png (11,911 bytes)   
default.png (11,911 bytes)   
levels.png (6,150 bytes)   
levels.png (6,150 bytes)   
success.png (10,710 bytes)   
success.png (10,710 bytes)   
dregad

dregad

2020-09-10 06:15

developer   ~0064399

Bug confirmed, thanks for the report.

d3vpoo1

d3vpoo1

2020-09-10 06:41

reporter   ~0064401

Are you guys assigning CVE for this one?

dregad

dregad

2020-09-10 08:36

developer   ~0064402

Considering it's a rather minor bug without significant consequences (being an issue's handler does not give that user any special access to the issue), I was not planning to, no.

dregad

dregad

2020-09-19 09:47

developer   ~0064452

PR https://github.com/mantisbt/mantisbt/pull/1704

Related Changesets

MantisBT: master-2.24 dd86c9c0

2020-09-20 10:24:12

dregad

Details Diff
Prevent assignment of categories to non-handler users

manage_proj_cat_update.php did not perform the necessary checks on the
provided user id (assigned_to parameter), allowing users with an access
level below handle_bug_threshold to be assigned to a category, and
subsequently to bugs created in that category.

Also added a check to ensure the provided user id is valid.

As suggested by @atrol, the checks are performed in Category API.

Fixes 0027268
Affected Issues
0027268
mod - core/category_api.php Diff File

Issue History

Date Modified Username Field Change
2020-09-09 20:43 d3vpoo1 New Issue
2020-09-09 20:43 d3vpoo1 File Added: default.png
2020-09-09 20:43 d3vpoo1 File Added: levels.png
2020-09-09 20:43 d3vpoo1 File Added: success.png
2020-09-10 06:15 dregad Status new => confirmed
2020-09-10 06:15 dregad Steps to Reproduce Updated View Revisions
2020-09-10 06:15 dregad Note Added: 0064399
2020-09-10 06:16 dregad Product Version 2.24.2 =>
2020-09-10 06:41 d3vpoo1 Note Added: 0064401
2020-09-10 08:36 dregad Note Added: 0064402
2020-09-19 09:47 dregad Assigned To => dregad
2020-09-19 09:47 dregad Status confirmed => assigned
2020-09-19 09:47 dregad Target Version => 2.24.3
2020-09-19 09:47 dregad View Status private => public
2020-09-19 09:47 dregad Note Added: 0064452
2020-09-20 12:35 dregad Summary Admin can set assigned to non-manager/non admin => Admin can get issues assigned to users not allowed to handle them
2020-09-25 13:27 dregad Changeset attached => MantisBT master-2.24 dd86c9c0
2020-09-25 13:27 dregad Status assigned => resolved
2020-09-25 13:27 dregad Resolution open => fixed
2020-09-25 13:27 dregad Fixed in Version => 2.24.3
2020-09-25 14:53 dregad Status resolved => closed