MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0013901mantisbtsecuritypublic2012-02-16 04:042013-04-06 09:23
Reporterlibregeek 
Assigned Tograngeway 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013901: SOAP API allows invoking methods without proper authentication
DescriptionIf a developer knows the application URL, username and project_id, then he/she can easily invoke SOAP API methods by simply passing password as NULL.

Eg: The developer can invoke SOAP API in the following format:

mc_project_get_categories('username', NULL, 1);

The script login mechanism of mantisbt uses only username to authenticate via SOAP. The URL is always public and developers can easily manipulate the project_id since it always starts with 1
Tags2.0.x check
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0031249)
grangeway (developer)
2012-02-16 04:46

Patch available for this @ https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f [^]
User avatar (0031397)
dhx (developer)
2012-03-06 17:35

A CVE identifier has been assigned to this issue:

CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password
authentication bypass
User avatar (0036305)
grangeway (developer)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master f5106be5
Timestamp: 2012-02-16 01:41:56
Author: root
Details ] Diff ]
Fix 0013901: SOAP API allows invoking methods without proper authentication

Note: only applied to 1.2.x not 'next', as the code is changing anyway
mod - api/soap/mc_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-02-16 04:04 libregeek New Issue
2012-02-16 04:18 rombert Description Updated View Revisions
2012-02-16 04:27 grangeway Assigned To => grangeway
2012-02-16 04:27 grangeway Status new => assigned
2012-02-16 04:46 grangeway Note Added: 0031249
2012-02-16 04:46 grangeway Status assigned => resolved
2012-02-16 04:46 grangeway Fixed in Version => 1.2.9
2012-02-16 04:46 grangeway Resolution open => fixed
2012-02-27 20:37 dregad Changeset attached => MantisBT master f5106be5
2012-02-27 20:38 dregad Target Version => 1.2.9
2012-02-27 20:38 dregad Description Updated View Revisions
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 07:59 dhx Category api soap => security
2012-03-06 17:35 dhx Note Added: 0031397
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036305
2013-04-05 18:24 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0839 seconds.
memory usage: 3,069 KB
Powered by Mantis Bugtracker