MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0013561mantisbtsecuritypublic2011-11-24 09:402014-09-23 18:05
Reporterspoidras 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013561: Any manager can delete global categories
DescriptionOnce user has been defined as manager on at least one project, he can edit or delete global categories for all projects.
Steps To Reproduce1. Go on Manage projects page
2. Delete a global category
TagsNo tags attached.
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0030755)
dregad (developer)
2012-01-01 20:12

The manage project page should check that the user's global access is at least equal to $g_manage_site_threshold config. If not, global categories should be displayed without any action buttons.
User avatar (0031395)
dhx (developer)
2012-03-06 17:35

A CVE identifier has been assigned to this issue:

CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could
update global category settings
User avatar (0036307)
grangeway (reporter)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master 94432587
Timestamp: 2012-01-01 16:14:31
Author: dregad
Details ] Diff ]
User must have global access to update global categories

The user's global access level must be >= $g_manage_site_threshold to
be allowed to add, edit or delete global categories.

Prior to this, once a user had been defined as Manager on at least one
project, they could freely update global categories.

Also prevents such updates through URL manipulation.

Fixes 0013561
mod - manage_proj_cat_delete.php Diff ] File ]
mod - manage_proj_cat_edit_page.php Diff ] File ]
mod - manage_proj_page.php Diff ] File ]
MantisBT: master-1.2.x 385e0c90
Timestamp: 2012-01-01 16:14:31
Author: dregad
Details ] Diff ]
User must have global access to update global categories

The user's global access level must be >= $g_manage_site_threshold to
be allowed to add, edit or delete global categories.

Prior to this, once a user had been defined as Manager on at least one
project, they could freely update global categories.

Also prevents such updates through URL manipulation.

Fixes 0013561
mod - manage_proj_cat_delete.php Diff ] File ]
mod - manage_proj_cat_edit_page.php Diff ] File ]
mod - manage_proj_page.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2011-11-24 09:40 spoidras New Issue
2011-11-24 14:19 dregad Status new => confirmed
2012-01-01 20:12 dregad Note Added: 0030755
2012-01-01 20:12 dregad Assigned To => dregad
2012-01-01 20:12 dregad Status confirmed => assigned
2012-01-01 20:12 dregad Target Version => 1.2.9
2012-01-01 20:12 dregad Status assigned => resolved
2012-01-01 20:12 dregad Fixed in Version => 1.2.9
2012-01-01 20:12 dregad Resolution open => fixed
2012-01-04 16:50 dregad Changeset attached => MantisBT master 94432587
2012-01-04 16:50 dregad Changeset attached => MantisBT master-1.2.x 385e0c90
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 08:33 dhx Category administration => security
2012-03-06 17:35 dhx Note Added: 0031395
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036307
2013-04-05 18:25 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1332 seconds.
memory usage: 3,064 KB
Powered by Mantis Bugtracker