View Issue Details

IDProjectCategoryView StatusLast Update
0027370mantisbtsecuritypublic2020-12-30 07:37
Reporterd3vpoo1 Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows10
Product Version2.24.3 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027370: CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
Description

I recheck my old reports/issue and I observe that in default MantisBT instance the developer can only edit the revision $g_update_bugnote_threshold = DEVELOPER; which means the developer can edit the bugnote submitted by reporter. However other role can view (and even developer) a private bugnote included on a private project.

Note : I create a new instance of MantisBT again to prevent/stop my old configuration

This is almost the same as the report that I submitted before however this one disclose the bugnote

Steps To Reproduce
  • As admin create two project, one private and a public project

  • Report an issue to a private project

  • add a new bugnote, its up to you if you will set this bugnote to private however at this point other user with non-admin role shouldn't access this because its a private project (for this scenario I will just set the bugnote to private which can help us "double" the status of view)

  • as a reporter,report an issue to our public project

  • add a bugnote

Exploit

  • go to your developer account and edit that bugnote submitted by reporter

Request

POST /test/bugnote_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
Origin: http://localhost
Connection: close
Referer: http://localhost/test/bugnote_edit_page.php
Cookie: MANTIS_secure_session=1; PHPSESSID=d1eb6er2hsedj13e2pi6tjqde9; MANTIS_STRING_COOKIE=S7B36suzGTmS3fWaoJskDFJK2HKV4ugkq7hcA3GX6JEATGrijwA5ce94ic6ZJlxm; MANTIS_PROJECT_COOKIE=2
Upgrade-Insecure-Requests: 1

bugnote_update_token=20201002r_0p5xlSfr-c2RSyBuBuqD71SD2hvVLJ&bugnote_id=1&bugnote_text=I+will+edit+this+as+a+developer

Response

HTTP/1.1 302 Found
Date: Fri, 02 Oct 2020 06:58:43 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 02 Oct 2020 06:58:43 GMT
X-Content-Type-Options: nosniff
Expires: Fri, 02 Oct 2020 06:58:43 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/test/view.php?id=1#bugnotes
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • After that, the "View all revisions" will appear

  • Click it

  • Now you will redirect to /bug_revision_view_page.php?bugnote_id=<SOME_ID>

  • change the value of <SOME_ID> to anything and you will successfully disclose the private bugnotes

Verification method

  • to verify more I use other role like viewer, reporter, manager (possible the other role too) and they can access the bug_note
Additional Information

I ran diff on default config file and to my testing config file and no result produce

  • Will follow up a PoC script
TagsNo tags attached.

Relationships

related to 0020690 closeddregad inconsistent UI for view bugnote revision 

Activities

d3vpoo1

d3vpoo1

2020-10-02 06:14

reporter   ~0064516

Hi ! After observing this and comparing to my last report, this only allows the attacker to disclose the summary and not the bug note. This is not duplicate issue of previous report because this can be found on different endpoint.. I get confused I thought the one that I disclose is the bugnote but I just disclose the summary via bug_revision_view_page.php?bugnote_id=&lt;VULN> apologize

dregad

dregad

2020-11-22 19:35

developer   ~0064683

this only allows the attacker to disclose the summary and not the bug note

Confirmed.

When you refer to "my last report", considering you have reported more than 10 of them, I guess you mean 0027039 ?

d3vpoo1

d3vpoo1

2020-11-22 21:08

reporter   ~0064684

I forgot which issue but I guess I refer it to https://mantisbt.org/bugs/view.php?id=27357

dregad

dregad

2020-12-05 21:12

developer   ~0064749

Last edited: 2020-12-06 06:46

While working on the fix for this issue, I realized that low-privileged users can view the revisions when accessing bug_revision_view_page.php directly, but they are not shown the View Revisions link on bugnote page, because the ability to view bugnote revisions is driven by private_bugnote_threshold config.

This inconsistency was previously reported in 0020690, so now is a good time to fix this.

dregad

dregad

2020-12-06 11:08

developer   ~0064757

That one was a bit more complex to fix than I had anticipated...

d3vpoo1

d3vpoo1

2020-12-11 10:21

reporter   ~0064786

Is this one getting a CVE?

dregad

dregad

2020-12-30 05:03

developer   ~0064865

CVE-2020-35849 assigned via request 1007235

Related Changesets

MantisBT: master e9fd168c

2020-12-06 10:32:42

dregad

Details Diff
Deny access to revisions if not authorized

If user is not allowed to view a revisions' parent bug or bugnote,
bug_revision_view_page.php now shows an Access Denied error, instead
of showing the bug Id and Summary (information disclosure).

Fixes 0027370
Affected Issues
0027370
mod - bug_revision_view_page.php Diff File