[UNIX] Mantis Bugs Allow Private Projects to be Listed on 'View Bugs'

From: support@securiteam.com
Date: 08/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 25 Aug 2002 19:21:26 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Mantis Bugs Allow Private Projects to be Listed on 'View Bugs'
------------------------------------------------------------------------

SUMMARY

 <http://mantisbt.sourceforge.net/> Mantis is an Open Source web-based bug
tracking system, written in PHP, which uses the MySQL database server. It
is being actively developed by a small group of developers, and is
considered to be in the beta stage.

Mantis allows administrators to set certain projects private. This
restricts its access to users who have been explicitly added to that
project.

There was a bug in Mantis that caused the 'View Bugs' page to list bugs
from both public and private projects when no projects were accessible to
the user. This has been patched in Mantis 0.17.5.

'View Bugs' lists only a summary of the bugs. This does not include
additional information such as the steps to reproduce the bug and any bug
notes that may have been added.

DETAILS

Vulnerable systems:
 * Mantis version 0.17.4a
 * Mantis version 0.17.4
 * Mantis version 0.17.3
 * Mantis version 0.17.2
 * Mantis version 0.17.1
 * Mantis version 0.17.0

Immune systems:
 * Mantis version 0.17.5

Workaround / Solution:
Mantis 0.17.5 patches this problem. Users are suggested to upgrade to this
version when possible.

If an upgrade is not possible, the following patch (against Mantis
0.17.4a)
will close the vulnerability (although uncleanly):

--- mantis-0.17.4a/view_all_bug_page.php Mon Aug 19 07:18:54 2002
+++ mantis-0.17.5/view_all_bug_page.php Fri Aug 23 11:57:50 2002
@@ -90,7 +90,7 @@
                 $result2 = db_query( $query2 );
                 $project_count = db_num_rows( $result2 );
                 if ( 0 == $project_count ) {
- $t_where_clause = " WHERE 1=1";
+ $t_where_clause = " WHERE 0=1";
                 } else {
                         $t_where_clause = " WHERE (";
                         for ($i=0;$i<$project_count;$i++) {

Proof of Vulnerability:
Make all projects private, create a user who does not have access to any
of these projects, and open the 'View Bugs' page.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jlatour@calaquendi.net>
Jeroen Latour and Diehl Software.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages