| Anonymous | Login | Signup for a new account | 2013-05-25 18:56 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0013901 | mantisbt | security | public | 2012-02-16 04:04 | 2013-04-06 09:23 | ||||
| Reporter | libregeek | ||||||||
| Assigned To | grangeway | ||||||||
| Priority | normal | Severity | major | Reproducibility | have not tried | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 1.2.8 | ||||||||
| Target Version | 1.2.9 | Fixed in Version | 1.2.9 | ||||||
| Summary | 0013901: SOAP API allows invoking methods without proper authentication | ||||||||
| Description | If a developer knows the application URL, username and project_id, then he/she can easily invoke SOAP API methods by simply passing password as NULL. Eg: The developer can invoke SOAP API in the following format: mc_project_get_categories('username', NULL, 1); The script login mechanism of mantisbt uses only username to authenticate via SOAP. The URL is always public and developers can easily manipulate the project_id since it always starts with 1 | ||||||||
| Tags | 2.0.x check | ||||||||
| Attached Files | |||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
 (0031249)grangeway (developer) 2012-02-16 04:46 |
Patch available for this @ https://github.com/mantisbt/mantisbt/commit/f5106be52cf6aa72c521f388e4abb5f0de1f1d7f [^] |
 (0031397)dhx (developer) 2012-03-06 17:35 |
A CVE identifier has been assigned to this issue: CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password authentication bypass |
|
(0036305) grangeway (developer) 2013-04-05 17:57 |
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master f5106be5
Timestamp: 2012-02-16 01:41:56 Author: root [ Details ] [ Diff ] |
Fix 0013901: SOAP API allows invoking methods without proper authentication Note: only applied to 1.2.x not 'next', as the code is changing anyway |
||
| mod - api/soap/mc_api.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2012-02-16 04:04 | libregeek | New Issue | |
| 2012-02-16 04:18 | rombert | Description Updated | View Revisions |
| 2012-02-16 04:27 | grangeway | Assigned To | => grangeway |
| 2012-02-16 04:27 | grangeway | Status | new => assigned |
| 2012-02-16 04:46 | grangeway | Note Added: 0031249 | |
| 2012-02-16 04:46 | grangeway | Status | assigned => resolved |
| 2012-02-16 04:46 | grangeway | Fixed in Version | => 1.2.9 |
| 2012-02-16 04:46 | grangeway | Resolution | open => fixed |
| 2012-02-27 20:37 | dregad | Changeset attached | => MantisBT master f5106be5 |
| 2012-02-27 20:38 | dregad | Target Version | => 1.2.9 |
| 2012-02-27 20:38 | dregad | Description Updated | View Revisions |
| 2012-03-03 21:45 | vboctor | Status | resolved => closed |
| 2012-03-06 07:59 | dhx | Category | api soap => security |
| 2012-03-06 17:35 | dhx | Note Added: 0031397 | |
| 2013-04-05 17:57 | grangeway | Status | closed => acknowledged |
| 2013-04-05 17:57 | grangeway | Note Added: 0036305 | |
| 2013-04-05 18:24 | grangeway | Relationship added | related to 0015721 |
| 2013-04-06 03:42 | dregad | Status | acknowledged => closed |
| 2013-04-06 07:23 | grangeway | Status | closed => acknowledged |
| 2013-04-06 09:22 | dregad | Tag Attached: 2.0.x check | |
| 2013-04-06 09:23 | dregad | Status | acknowledged => closed |
|
Issue History |
| MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.0830 seconds. memory usage: 2,820 KB |
|