View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014340 | mantisbt | security | public | 2012-06-01 17:19 | 2014-09-23 18:05 |
Reporter | atrol | Assigned To | dhx | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.10 | ||||
Target Version | 1.2.11 | Fixed in Version | 1.2.11 | ||
Summary | 0014340: CVE-2012-2691 Reporters can update notes of other users by using SOAP API | ||||
Description | Reporters are not able to update notes of other users in a standard MantisBT configuration when using the web interface. However the access check when using the SOAP API (function mc_issue_note_update) uses option $g_add_bugnote_threshold which defaults to REPORTER. Replacing $g_add_bugnote_threshold by $g_update_bugnote_threshold is not enough to solve the issue, as reporters will not be able to update their own notes. Example where this approach is no clean solution: Quick solution: Clean solution: | ||||
Tags | No tags attached. | ||||
This should now be fixed in master and master-1.2.x however I haven't tested the code (I don't use SOAP). Can someone please double check and confirm my patch is valid and functional? Thanks again Roland, Damien (sorry for the typo in the commit message!) for finding and reporting this issue. |
|
Thanks for the fix David and no worries about the typo - it happens all the time ;) |
|
I did a quick check on my local dev box - problem is not fixed yet. created a test user (reporter) ... and the note 33 was updated. |
|
Found the root cause - mc_issue_note_update was passing wrong parameters to access_has_bugnote_level() so unprivileged users could still update other's bugnotes. |
|
http://www.openwall.com/lists/oss-security/2012/06/09/1 |
|
CVE-2012-2691 |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 508cab00 2012-06-01 20:40 Details Diff |
Fix 0014340: Reporters can use SOAP to update bugnotes without permission The access checks inside bugnote_update.php and api/soap/mc_issue_api.php differed. Users were incorrectly allowed via the SOAP interface to update the bugnotes of other users. Instead of comparing the SOAP user's access level to $g_update_bugnote_threshold, $g_add_bugnote_threshold was used instead. This posed a problem because the default installed state of MantisBT is to allow the REPORTER access level to submit bugs via the SOAP API. Thus in the default installed state, any user who could submit a bug could also update/modify the bugnotes of any other user. Access checks within bugnote_update.php and api/soap/mc_issue_api.php should now be equivalent. Thanks to Roland Becker and Damien Regard (both MantisBT developers) for finding and reporting this problem. |
Affected Issues 0014340 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master-1.2.x edc8142b 2012-06-01 20:40 Details Diff |
Fix 0014340: Reporters can use SOAP to update bugnotes without permission The access checks inside bugnote_update.php and api/soap/mc_issue_api.php differed. Users were incorrectly allowed via the SOAP interface to update the bugnotes of other users. Instead of comparing the SOAP user's access level to $g_update_bugnote_threshold, $g_add_bugnote_threshold was used instead. This posed a problem because the default installed state of MantisBT is to allow the REPORTER access level to submit bugs via the SOAP API. Thus in the default installed state, any user who could submit a bug could also update/modify the bugnotes of any other user. Access checks within bugnote_update.php and api/soap/mc_issue_api.php should now be equivalent. Thanks to Roland Becker and Damien Regard (both MantisBT developers) for finding and reporting this problem. |
Affected Issues 0014340 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master 15a5d6a3 2012-06-03 11:29 Details Diff |
mc_issue_note_update passing wrong param to access check function Commit edc8142bb8ac0ac0df1a3824d78c15f4015d959e introduced proper logic to avoid unauthorized update of bugnotes, but was passing incorrect parameters to access_has_bugnote_level() so unprivileged users could still update them. Fixes 0014340 |
Affected Issues 0014340 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master-1.2.x 175d9731 2012-06-03 11:29 Details Diff |
mc_issue_note_update passing wrong param to access check function Commit edc8142bb8ac0ac0df1a3824d78c15f4015d959e introduced proper logic to avoid unauthorized update of bugnotes, but was passing incorrect parameters to access_has_bugnote_level() so unprivileged users could still update them. Fixes 0014340 |
Affected Issues 0014340 |
|
mod - api/soap/mc_issue_api.php | Diff File |