View Issue Details

IDProjectCategoryView StatusLast Update
0013901mantisbtsecuritypublic2014-09-23 18:05
Reporterlibregeek 
Assigned Tograngeway 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013901: SOAP API allows invoking methods without proper authentication
Description

If a developer knows the application URL, username and project_id, then he/she can easily invoke SOAP API methods by simply passing password as NULL.

Eg: The developer can invoke SOAP API in the following format:

mc_project_get_categories('username', NULL, 1);

The script login mechanism of mantisbt uses only username to authenticate via SOAP. The URL is always public and developers can easily manipulate the project_id since it always starts with 1

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

grangeway

grangeway

2012-02-16 04:46

reporter   ~0031249

Patch available for this @ https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f

dhx

dhx

2012-03-06 17:35

reporter   ~0031397

A CVE identifier has been assigned to this issue:

CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password
authentication bypass

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036305

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master f5106be5

2012-02-16 01:41:56

root

Details Diff
Fix 0013901: SOAP API allows invoking methods without proper authentication

Note: only applied to 1.2.x not 'next', as the code is changing anyway
mod - api/soap/mc_api.php Diff File

Issue History

Date Modified Username Field Change
2012-02-16 04:04 libregeek New Issue
2012-02-16 04:18 rombert Description Updated View Revisions
2012-02-16 04:27 grangeway Assigned To => grangeway
2012-02-16 04:27 grangeway Status new => assigned
2012-02-16 04:46 grangeway Note Added: 0031249
2012-02-16 04:46 grangeway Status assigned => resolved
2012-02-16 04:46 grangeway Fixed in Version => 1.2.9
2012-02-16 04:46 grangeway Resolution open => fixed
2012-02-27 20:37 dregad Changeset attached => MantisBT master f5106be5
2012-02-27 20:38 dregad Target Version => 1.2.9
2012-02-27 20:38 dregad Description Updated View Revisions
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 07:59 dhx Category api soap => security
2012-03-06 17:35 dhx Note Added: 0031397
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036305
2013-04-05 18:24 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check