View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013901 | mantisbt | security | public | 2012-02-16 04:04 | 2014-09-23 18:05 |
Reporter | libregeek | Assigned To | grangeway | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.8 | ||||
Target Version | 1.2.9 | Fixed in Version | 1.2.9 | ||
Summary | 0013901: SOAP API allows invoking methods without proper authentication | ||||
Description | If a developer knows the application URL, username and project_id, then he/she can easily invoke SOAP API methods by simply passing password as NULL. Eg: The developer can invoke SOAP API in the following format: mc_project_get_categories('username', NULL, 1); The script login mechanism of mantisbt uses only username to authenticate via SOAP. The URL is always public and developers can easily manipulate the project_id since it always starts with 1 | ||||
Tags | No tags attached. | ||||
Patch available for this @ https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f |
|
A CVE identifier has been assigned to this issue: CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|