2016-12-06 12:51 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0010124mantisbtsecuritypublic2014-09-23 18:05
Reporterempty 
Assigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0010124: Bug in access_has_bug_level
DescriptionThere's a heavy problem in the access_has_bug_level function giving access to everyone.

By setting the private_bug_view_threshold via the project configuration to an array (and not only a number)

eg.

if you have 0 0 X 0 X X in the configuration, this will result in an Array, instead of 0 0 X X X X resulting in a number in the mantis_config_table.

This leads to a misfunction in access_api.php/function access_has_bug_level:

The code there:

# If the bug is private and the user is not the reporter, then the
# the user must also have higher access than private_bug_threshold
if ( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) &&
 !bug_is_user_reporter( $p_bug_id, $p_user_id ) )
{
        $p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) );
}

So, the parameter of the max-Funktion are an access_level, e.g. MANAGER and an array with the private_bug_threshold from the database.

The result: Because the max-Function can't handle this integer/array-mixture, the returned value is empty, so everyone has access to the bug.
Steps To Reproducesee above.
TagsNo tags attached.
Attached Files

-Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
+Relationships

-Notes
Zonix

~0031005

Zonix (reporter)

Just stumbled on this as well in 1.2.8:

We have a strong policy that nobody should be allowed to delete issues, thus I set delete_bug_threshold = NOBODY. Private bugs are accessible for certain roles only, so I configured

private_bug_threshold = array (
  0 => 40,
  1 => 42,
  2 => 55,
  3 => 60,
  4 => 65,
  5 => 90,
)

with the configuration pages. The result is that anyone can actually delete private bugs (delete button on bug view page).

I consider this a major bug since the security scheme for private bugs can be accidently broken by an administrator who configures the private_bug_threshold individually for access roles.

Could anyone take care of this issue?

BTW, category "authentication" should be changed to "security" since this problem is not only related to authentication.
dregad

~0031008

dregad (developer)

I believed I fixed it, please see
https://github.com/dregad/mantisbt/tree/fix-10124-access_has_bug_level

Could you kindly test and let me know if it works.
Zonix

~0031011

Zonix (reporter)

Hi dregard, thanks for the quick fix. I can confirm that your patch fixes the issue.
dregad

~0031012

dregad (developer)

Thanks for testing. As this is a very widely used function, I have asked other devs to have a look at it before I commit the change, to make sure this is not introducing any regression.
dhx

~0031392

dhx (reporter)

Last edited: 2012-03-06 17:33

View 2 revisions

A CVE identifier has been assigned to this issue:

CVE-2012-1118 MantisBT 1.2.8 10124 array value for
$g_private_bug_threshold configuration option allows bypass of access
checks

grangeway

~0036310

grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
+Notes

+Related Changesets

-Issue History
Date Modified Username Field Change
2009-02-10 07:25 empty New Issue
2012-01-23 08:08 Zonix Note Added: 0031005
2012-01-23 08:57 dregad Status new => confirmed
2012-01-23 08:57 dregad Category authentication => security
2012-01-23 08:57 dregad Product Version 1.1.6 => 1.2.8
2012-01-23 14:19 dregad Note Added: 0031008
2012-01-23 14:19 dregad Assigned To => dregad
2012-01-23 14:19 dregad Status confirmed => assigned
2012-01-23 14:19 dregad Target Version => 1.2.9
2012-01-24 03:04 Zonix Note Added: 0031011
2012-01-24 05:24 dregad Note Added: 0031012
2012-02-27 19:45 dregad Status assigned => resolved
2012-02-27 19:45 dregad Fixed in Version => 1.2.9
2012-02-27 19:45 dregad Resolution open => fixed
2012-02-27 20:00 dregad Changeset attached => MantisBT master eb803ed0
2012-02-27 20:00 dregad Changeset attached => MantisBT master-1.2.x ae8be028
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 17:33 dhx Note Added: 0031392
2012-03-06 17:33 dhx Note Edited: 0031392 View Revisions
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036310
2013-04-05 18:25 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:24 dregad Tag Attached: 2.0.x check
2013-04-06 09:24 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
+Issue History