[UNIX] Mantis's Limiting Output to Reporters Can be Bypassed

From: support@securiteam.com
Date: 08/21/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 21 Aug 2002 14:28:22 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Mantis's Limiting Output to Reporters Can be Bypassed
------------------------------------------------------------------------

SUMMARY

 <http://mantisbt.sourceforge.net/> Mantis is an Open Source web-based bug
tracking system, written in PHP, which uses the MySQL database server. It
is being actively developed by a small group of developers, and is
considered to be in the beta stage. A security vulnerability in the
product allows attackers to discover sensitive information about other
user's bug reports even if they are not allowed to do so by the normal
interface.

DETAILS

Vulnerable systems:
 * Mantis version 0.17.3
 * Mantis version 0.17.2
 * Mantis version 0.17.1
 * Mantis version 0.17.0
 * Mantis version 0.16.1
 * Mantis version 0.16.0

Immune systems:
 * Mantis version 0.17.4a
 * Mantis version 0.17.4
 * Mantis versions prior to 0.16.0

It is possible to instruct Mantis to show reporters only the bugs that
they reported, by setting the limit_reporters option to ON. This will
automatically set the 'reporter' filter on the 'View Bugs' page.

The information on the 'View Bugs' page was also available in a form
suitable for printing, by clicking on the 'Print Reports' link on the
'View Bugs' page. However, this script, print_all_bug_page.php, did not
check the limit_reporters option and thus allowed reporters to see the
summaries of bugs they did not report.

Workaround / Solution:
Mantis 0.17.4 adds the appropriate permission checks to the 'Print
Reports' page. All users are recommended to upgrade to this version as
soon as possible.

If upgrade is not an option, print_all_bug_page.php can be patched to
close this vulnerability. The following instructions apply to Mantis
0.17.3, and could apply to earlier versions:

In print_all_bug_page.php, after the block of assignments from
$t_setting_arr, insert the following lines:
     # Limit reporters to only see their reported bugs
     if (( ON == $g_limit_reporters ) &&
       ( !access_level_check_greater_or_equal( UPDATER ) )) {
       $f_user_id = get_current_user_field( "id" );
     }

Detailed explanation:
No trickery is required to allow a reporter to see the summaries of bugs
that (s)he did not report. The reporter just has to go to 'View Bugs',
click on 'Print Reports' and make sure the 'reporter' filter is set to
anything but his/her own name.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jlatour@calaquendi.net>
Jeroen Latour.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • GnuTLS 1.2.10 - Security release
    ... We are pleased to announce the availability of GnuTLS version 1.2.10, ... a security bug-fix release on the stable 1.2.x branch. ... This release fixes several serious bugs that would make the DER ... Here are the build reports for various platforms: ...
    (gnu.announce)
  • [Full-disclosure] [ GLSA 200809-10 ] Mantis: Multiple vulnerabilities
    ... Bugs: #233336 ... Multiple vulnerabilities have been reported in Mantis. ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Full-Disclosure)
  • [ GLSA 200809-10 ] Mantis: Multiple vulnerabilities
    ... Bugs: #233336 ... Multiple vulnerabilities have been reported in Mantis. ... Security is a primary focus of Gentoo Linux and ensuring the ...
    (Bugtraq)
  • Re: Article: Gates memo calls for security focus
    ... Clearly if there is a security hole they know ... ]> in order to search for that 12th time for security bugs. ... How much does every programmer, ... Gates says so -- and so any reports otherwise are simply outsiders ...
    (comp.security.misc)
  • Re: Pentester convicted..
    ... and thus politely forcing them take responsibility for the protection of privacy of the data they carry. ... and ignored the first 2 reports. ... A security pro notices a flaw, checks to make sure he is not on crack ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)