View Issue Details

IDProjectCategoryView StatusLast Update
0013901mantisbtsecuritypublic2014-09-23 18:05
Reporterlibregeek Assigned Tograngeway  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013901: SOAP API allows invoking methods without proper authentication
Description

If a developer knows the application URL, username and project_id, then he/she can easily invoke SOAP API methods by simply passing password as NULL.

Eg: The developer can invoke SOAP API in the following format:

mc_project_get_categories('username', NULL, 1);

The script login mechanism of mantisbt uses only username to authenticate via SOAP. The URL is always public and developers can easily manipulate the project_id since it always starts with 1

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

grangeway

grangeway

2012-02-16 04:46

reporter   ~0031249

Patch available for this @ https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f

dhx

dhx

2012-03-06 17:35

reporter   ~0031397

A CVE identifier has been assigned to this issue:

CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password
authentication bypass

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036305

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master f5106be5

2012-02-15 20:41

root


Details Diff
Fix 0013901: SOAP API allows invoking methods without proper authentication

Note: only applied to 1.2.x not 'next', as the code is changing anyway
Affected Issues
0013901
mod - api/soap/mc_api.php Diff File