View Issue Details

IDProjectCategoryView StatusLast Update
0027268mantisbtsecuritypublic2020-11-05 11:33
Reporterd3vpoo1 Assigned Todregad  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows 10
Target Version2.24.3Fixed in Version2.24.3 
Summary0027268: Admin can get issues assigned to users not allowed to handle them
Description

The endpoint : http://<HOST>/manage_proj_cat_edit_page.php?id=1&project_id=1 allows the admin to set the "assigned" to non-admin/non manager via assigned_to parameter

Steps To Reproduce
  1. Login as your admin account
  2. Go to manage > manage projects
  3. Open your intercept
  4. Select any member on select input

Request :

POST /mantisbt2/manage_proj_cat_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_proj_cat_edit_page.php?id=1&project_id=1
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_secure_session=0; MANTIS_BUG_LIST_COOKIE=4; PHPSESSID=h4478kp8q2d69eg6e13pjo0hfe; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896
Upgrade-Insecure-Requests: 1

manage_proj_cat_update_token=<SOME-TOKEN>&project_id=1&category_id=1&name=General&assigned_to=<VULNERABLE>

Response :

HTTP/1.1 200 OK
Date: Thu, 10 Sep 2020 00:38:17 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Thu, 10 Sep 2020 00:38:17 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Thu, 10 Sep 2020 00:38:17 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10006
Connection: close
Content-Type: text/html; charset=UTF-8

EDIT (dregad): Moved HTML of success page to attachment.

  1. Edit the assigned_to=<VULNERABLE> (I try to set this to viewer and this works)
  2. Refresh the site and viewer now become assigned to the stuffs
Additional Information

In images the default selection are just admin/manager

TagsNo tags attached.
Attached Files
default.png (11,911 bytes)   
default.png (11,911 bytes)   
levels.png (6,150 bytes)   
levels.png (6,150 bytes)   
success.png (10,710 bytes)   
success.png (10,710 bytes)   

Relationships

related to 0027350 closeddregad When updating an issue, a Viewer user can be set as Reporter 

Activities

dregad

dregad

2020-09-10 06:15

developer   ~0064399

Bug confirmed, thanks for the report.

d3vpoo1

d3vpoo1

2020-09-10 06:41

reporter   ~0064401

Are you guys assigning CVE for this one?

dregad

dregad

2020-09-10 08:36

developer   ~0064402

Considering it's a rather minor bug without significant consequences (being an issue's handler does not give that user any special access to the issue), I was not planning to, no.

dregad

dregad

2020-09-19 09:47

developer   ~0064452

PR https://github.com/mantisbt/mantisbt/pull/1704

Related Changesets

MantisBT: master-2.24 dd86c9c0

2020-09-20 06:24

dregad


Details Diff
Prevent assignment of categories to non-handler users

manage_proj_cat_update.php did not perform the necessary checks on the
provided user id (assigned_to parameter), allowing users with an access
level below handle_bug_threshold to be assigned to a category, and
subsequently to bugs created in that category.

Also added a check to ensure the provided user id is valid.

As suggested by @atrol, the checks are performed in Category API.

Fixes 0027268
Affected Issues
0027268
mod - core/category_api.php Diff File