[UNIX] Additional Vulnerabilities in Mantis Allow Private Bugs Access

From: support@securiteam.com
Date: 08/25/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 25 Aug 2002 19:28:48 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Additional Vulnerabilities in Mantis Allow Private Bugs Access
------------------------------------------------------------------------

SUMMARY

 <http://mantisbt.sourceforge.net/> Mantis is an Open Source web-based bug
tracking system, written in PHP, which uses the MySQL database server. It
is being actively developed by a small group of developers, and is
considered to be in the beta stage.

There are several locations where all information about a bug is listed:
 - View Bug (simple and advanced)
 - Update Bug (simple and advanced)

None of these locations checked whether a user was allowed to see a bug.
This allowed any user to see an arbitrary bug by entering the bug ID in
the URL or in the 'Jump'-box. The user has to know the bug ID but this is
not difficult to come by as the bug ID is an autoincrementing number.

Mantis 0.17.5 adds code to the four locations listed above, which checks
whether the user has the appropriate permissions.

DETAILS

Vulnerable systems:
 * Mantis version 0.17.4a
 * Mantis version 0.17.4
 * Mantis version 0.17.3

Immune systems:
 * Mantis version 0.17.5

Workaround / Solution:
Mantis 0.17.5 adds appropriate permissions checks. All users are urged to
upgrade to this version as soon as possible.

If an upgrade is not possible, the following patch (against Mantis
0.17.4a) will close the vulnerability:

diff -u -r mantis-0.17.4a/bug_update_advanced_page.php
mantis-0.17.5/bug_update_advanced_page.php
--- mantis-0.17.4a/bug_update_advanced_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_advanced_page.php Fri Aug 23 11:55:52 2002
@@ -26,6 +26,9 @@
      $result = db_query( $query );
         $row = db_fetch_array( $result );
         extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );

      $query = "SELECT *
                 FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/bug_update_page.php
mantis-0.17.5/bug_update_page.php
--- mantis-0.17.4a/bug_update_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_page.php Fri Aug 23 11:56:06 2002
@@ -27,6 +27,9 @@
      $result = db_query( $query );
         $row = db_fetch_array( $result );
         extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );

      $query = "SELECT *
                 FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/core_user_API.php
mantis-0.17.5/core_user_API.php
--- mantis-0.17.4a/core_user_API.php Sun Aug 18 08:57:20 2002
+++ mantis-0.17.5/core_user_API.php Fri Aug 23 11:52:43 2002
@@ -577,6 +577,23 @@
                 }
         }
         # --------------------
+ # check to see if the current user has access to the specified
bug.
This assumes that the bug exists and
+ # that the user has access to the project (check_bug_exists() and
project_access_check()).
+ function access_bug_check( $p_bug_id, $p_view_state='' ) {
+ global $g_private_bug_threshold;
+
+ if ( empty ( $p_view_state ) ) {
+ $t_view_state = get_bug_field( $p_bug_id,
'view_state' );
+ } else {
+ $t_view_state = (integer)$p_view_state;
+ }
+
+ # Make sure if the bug is private, the logged in user has
access to it.
+ if ( ( $t_view_state == PRIVATE ) &&
!access_level_check_greater_or_equal( $g_private_bug_threshold ) ) {
+ print_header_redirect( 'logout_page.php' );
+ }
+ }
+ # --------------------
         
###########################################################################
         # User Information API
         
###########################################################################
diff -u -r mantis-0.17.4a/view_bug_advanced_page.php
mantis-0.17.5/view_bug_advanced_page.php
--- mantis-0.17.4a/view_bug_advanced_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_advanced_page.php Fri Aug 23 11:56:29 2002
@@ -22,6 +22,9 @@
      $result = db_query( $query );
         $row = db_fetch_array( $result );
         extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );

      $query = "SELECT *
                 FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/view_bug_page.php
mantis-0.17.5/view_bug_page.php
--- mantis-0.17.4a/view_bug_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_page.php Fri Aug 23 11:57:00 2002
@@ -22,6 +22,9 @@
      $result = db_query( $query );
         $row = db_fetch_array( $result );
         extract( $row, EXTR_PREFIX_ALL, "v" );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );

      $query = "SELECT *
                 FROM $g_mantis_bug_text_table

Proof of Vulnerability:
The easiest way to confirm this vulnerability is by logging on to your
Mantis installation with a low-privilege user, and entering the bug ID of
a bug that should not be readable by that user in the 'Jump' box.

Older versions without a 'Jump' box can be exploited by changing the f_id
parameter to view_bug_page.php, view_bug_advanced_page.php,
bug_update_page.php or bug_update_advanced_page.php.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jlatour@calaquendi.net>
Jeroen Latour.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages