MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0014704mantisbtsecuritypublic2012-09-11 14:372013-04-06 09:23
Reporterszwagier44 
Assigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.9 
Target Version1.2.12Fixed in Version1.2.12 
Summary0014704: CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access
DescriptionClone and Move issue with Copy bug notes - user get email notice from project without access

Mantis configuration:
I've got two projects:
- ProjectA
- ProjectB

I've got two user:
- UserA, who has access only to ProjectA
- Manager, who has access to ProjectA and ProjectB

Steps:
1. Some user report Issue to ProjectA - IssueA
2. UserA add note to IssueA
3. Manager Clone IssueA with option "Copy bug notes" and get new issue - IssueB
4. Manager move IssueB from ProjectA to ProjectB
5. Manager add new notes to IssueB

Bug:
Now any action on IssueB eg. add notes, change status causes send email notice to UserA from IssueB. UserA don't have access to IssueB by can read whole history and any notes from email body.

Tags2.0.x check
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0032821)
dregad (developer)
2012-09-12 04:54

Good catch.

Until a fix for this can be developed, I can only suggest as a workaround to uncheck "E-mail on Note Added" for "Users who added Issue Notes" in Manage E-mail notifications page.
User avatar (0032822)
dregad (developer)
2012-09-12 12:01

The email_collect_recipients api function should check that each recipient has access to the bug.
User avatar (0032855)
szwagier44 (reporter)
2012-09-18 05:50

I've just checked your fix on version 1.2.9 and everything seems to be okey.
User avatar (0032856)
dregad (developer)
2012-09-18 06:01

Thanks for your feedback.
User avatar (0035370)
dregad (developer)
2013-03-04 11:22

CVE-2012-5523 assigned on oss-security mailing list on 2012-11-14
User avatar (0036082)
grangeway (developer)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master-1.2.x 2cc83ca9
Timestamp: 2012-09-12 08:48:17
Author: dregad
Details ] Diff ]
Don't send email notices for a bug to which users have no access

Prior to this, users without viewer access to a bug could potentially
receive email notifications for it. This could happen in case of
permissions changes, or if an issue is moved to another project with
different access rights.

Added an access level check to exclude users who don't have at least
VIEWER privilege to the bug.

Fixes 0014704
mod - core/email_api.php Diff ] File ]
MantisBT: master 2d815440
Timestamp: 2012-09-12 08:48:17
Author: dregad
Details ] Diff ]
Don't send email notices for a bug to which users have no access

Prior to this, users without viewer access to a bug could potentially
receive email notifications for it. This could happen in case of
permissions changes, or if an issue is moved to another project with
different access rights.

Added an access level check to exclude users who don't have at least
VIEWER privilege to the bug.

Fixes 0014704
mod - core/email_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-09-11 14:37 szwagier44 New Issue
2012-09-12 04:54 dregad Note Added: 0032821
2012-09-12 04:54 dregad Status new => acknowledged
2012-09-12 12:01 dregad Note Added: 0032822
2012-09-12 12:01 dregad Assigned To => dregad
2012-09-12 12:01 dregad Status acknowledged => assigned
2012-09-12 12:01 dregad Category email => security
2012-09-12 12:01 dregad Target Version => 1.2.12
2012-09-12 12:01 dregad Changeset attached => MantisBT master-1.2.x 2cc83ca9
2012-09-12 12:01 dregad Status assigned => resolved
2012-09-12 12:01 dregad Resolution open => fixed
2012-09-12 12:01 dregad Fixed in Version => 1.2.12
2012-09-12 12:02 dregad Changeset attached => MantisBT master 2d815440
2012-09-18 05:50 szwagier44 Note Added: 0032855
2012-09-18 06:01 dregad Note Added: 0032856
2012-11-10 18:54 dregad Status resolved => closed
2013-03-04 11:22 dregad Note Added: 0035370
2013-03-04 11:22 dregad Summary Clone and Move issue with Copy bug notes - user get email notice from project without access => CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036082
2013-04-05 19:42 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0858 seconds.
memory usage: 3,080 KB
Powered by Mantis Bugtracker