0012517: Users can view private bugs - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0012517	mantisbt	api soap	public	2010-11-06 12:27	2011-04-05 14:23

Reporter	maschneider	Assigned To	rombert
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	1.2.5	Fixed in Version	1.2.5

Summary	0012517: Users can view private bugs
Description	If you use the mc_issue_get() method of the soap interface to get bug notice you can return information of issuse be in private projects.
Steps To Reproduce	have a working mantis user account try to get a issue by calling mc_issue_get() with a know issue_id to the soap api if you just try all possible ids you return the information of issue related to a private project without that your user account has access to this project
Additional Information	i just looking in the source. i mentation that the securty checks looks like: if( !mci_has_readonly_access( $t_user_id, $t_project_id ) ) { return mci_soap_fault_access_denied( $t_user_id ); } in the mc_issue_get() in mc_issue_api.php this use the: user_get_access_level( ) in mc_api.php:65 this use the: project_get_local_user_access_level() in user_api.php:839 if you look to the documentation you can read: Return the user's local (overridden) access level on the project or false if the user is not listed on the project to priject_api.php:452 If the user is not related to the project the method always return false and the global access level will compare, the problem of private projects will never asked. The only way is to fix this, use the internal access_api of mantis. So the fix is: if( !access_has_bug_level( VIEWER, $p_issue_id, $t_user_id ) ){ return mci_soap_fault_access_denied( $t_user_id ); }
Tags	No tags attached.
Attached Files	soap_patch (849 bytes)

maschneider 2010-11-06 12:29 reporter ~0027271	i think there are more security problems related to the soap api while using their own code an not the access_api.php of mantis itself.

rombert 2010-11-06 18:38 reporter ~0027273	Thanks for the report. Since you looked into it, would you be willing to provide a Git patch?

maschneider 2010-11-07 09:42 reporter ~0027276	The question is which is the best way. Fixing this problem by including a check for private projects or start to rewrite the access checks for the SOAP API.

rombert 2010-11-25 17:12 reporter ~0027489	I'd say just include more access checks in the SOAP API. Doing something larger is probably not feasible right now.

maschneider 2011-01-26 04:49 reporter ~0028085	I appand a git patch to have one more check include

MantisBT: master 004c39b6 2011-01-26 04:40 da_ms Committer: rombert Details Diff	SOAP API: ensure that the user has a proper access level Fixes 0012517: Users can view private bugs Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com>		Affected Issues 0012517
	mod - api/soap/mc_issue_api.php		Diff File
MantisBT: master-1.2.x bde76f1f 2011-01-26 04:40 da_ms Committer: rombert Details Diff	SOAP API: ensure that the user has a proper access level Fixes 0012517: Users can view private bugs Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com>		Affected Issues 0012517
	mod - api/soap/mc_issue_api.php		Diff File