[UNIX] Mantis's Limiting Output to Reporters Can be Bypassed
From: support@securiteam.comDate: 08/21/02
- Previous message: support@securiteam.com: "[UNIX] SQL Poisoning Vulnerability in Mantis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 21 Aug 2002 14:28:22 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Mantis's Limiting Output to Reporters Can be Bypassed
------------------------------------------------------------------------
SUMMARY
<http://mantisbt.sourceforge.net/> Mantis is an Open Source web-based bug
tracking system, written in PHP, which uses the MySQL database server. It
is being actively developed by a small group of developers, and is
considered to be in the beta stage. A security vulnerability in the
product allows attackers to discover sensitive information about other
user's bug reports even if they are not allowed to do so by the normal
interface.
DETAILS
Vulnerable systems:
* Mantis version 0.17.3
* Mantis version 0.17.2
* Mantis version 0.17.1
* Mantis version 0.17.0
* Mantis version 0.16.1
* Mantis version 0.16.0
Immune systems:
* Mantis version 0.17.4a
* Mantis version 0.17.4
* Mantis versions prior to 0.16.0
It is possible to instruct Mantis to show reporters only the bugs that
they reported, by setting the limit_reporters option to ON. This will
automatically set the 'reporter' filter on the 'View Bugs' page.
The information on the 'View Bugs' page was also available in a form
suitable for printing, by clicking on the 'Print Reports' link on the
'View Bugs' page. However, this script, print_all_bug_page.php, did not
check the limit_reporters option and thus allowed reporters to see the
summaries of bugs they did not report.
Workaround / Solution:
Mantis 0.17.4 adds the appropriate permission checks to the 'Print
Reports' page. All users are recommended to upgrade to this version as
soon as possible.
If upgrade is not an option, print_all_bug_page.php can be patched to
close this vulnerability. The following instructions apply to Mantis
0.17.3, and could apply to earlier versions:
In print_all_bug_page.php, after the block of assignments from
$t_setting_arr, insert the following lines:
# Limit reporters to only see their reported bugs
if (( ON == $g_limit_reporters ) &&
( !access_level_check_greater_or_equal( UPDATER ) )) {
$f_user_id = get_current_user_field( "id" );
}
Detailed explanation:
No trickery is required to allow a reporter to see the summaries of bugs
that (s)he did not report. The reporter just has to go to 'View Bugs',
click on 'Print Reports' and make sure the 'reporter' filter is set to
anything but his/her own name.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jlatour@calaquendi.net>
Jeroen Latour.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] SQL Poisoning Vulnerability in Mantis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
