2014-12-19 19:50 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0013748mantisbtsecuritypublic2014-09-23 18:05
Reporterdregad 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013748: Can't move bugs from projects with access < report_bug_threshold
DescriptionWhen trying to move an issue from project A to project B, if the current user's access level is below report_bug_threshold in project A, they are not allowed to move the bug even though they should (i.e. they have move_bug_threshold in A and report_bug_threshold in B)
Steps To Reproduce- Set report_bug_threshold in project A to 100 (NOBODY)
- Select a bug in project A
- Try to Move it to project B

Error message
"You did not have appropriate permissions to perform that action" is displayed
TagsNo tags attached.
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
+ Relationships

-  Notes
User avatar

~0030874

dregad (developer)

The access check in bug_actiongroup.php is not correct. It should verify the user's report_bug_threshold in the target project, not the current project.
User avatar

~0031396

dhx (reporter)

A CVE identifier has been assigned to this issue:

CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed
when moving bugs between projects
User avatar

~0036306

grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2012-01-09 08:11 dregad New Issue
2012-01-09 08:11 dregad Status new => assigned
2012-01-09 08:11 dregad Assigned To => dregad
2012-01-09 08:24 dregad Note Added: 0030874
2012-01-09 08:24 dregad Status assigned => resolved
2012-01-09 08:24 dregad Fixed in Version => 1.2.9
2012-01-09 08:24 dregad Resolution open => fixed
2012-01-09 09:00 dregad Changeset attached => MantisBT master 0da3f7ac
2012-01-09 09:00 dregad Changeset attached => MantisBT master-1.2.x 64af3ef8
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 08:49 dhx Category bugtracker => security
2012-03-06 17:35 dhx Note Added: 0031396
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036306
2013-04-05 18:24 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
+ Issue History