| Anonymous | Login | Signup for a new account | 2013-05-20 01:11 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0014704 | mantisbt | security | public | 2012-09-11 14:37 | 2013-04-06 09:23 | ||||
| Reporter | szwagier44 | ||||||||
| Assigned To | dregad | ||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 1.2.9 | ||||||||
| Target Version | 1.2.12 | Fixed in Version | 1.2.12 | ||||||
| Summary | 0014704: CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access | ||||||||
| Description | Clone and Move issue with Copy bug notes - user get email notice from project without access Mantis configuration: I've got two projects: - ProjectA - ProjectB I've got two user: - UserA, who has access only to ProjectA - Manager, who has access to ProjectA and ProjectB Steps: 1. Some user report Issue to ProjectA - IssueA 2. UserA add note to IssueA 3. Manager Clone IssueA with option "Copy bug notes" and get new issue - IssueB 4. Manager move IssueB from ProjectA to ProjectB 5. Manager add new notes to IssueB Bug: Now any action on IssueB eg. add notes, change status causes send email notice to UserA from IssueB. UserA don't have access to IssueB by can read whole history and any notes from email body. | ||||||||
| Tags | 2.0.x check | ||||||||
| Attached Files | |||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
 (0032821)dregad (developer) 2012-09-12 04:54 |
Good catch. Until a fix for this can be developed, I can only suggest as a workaround to uncheck "E-mail on Note Added" for "Users who added Issue Notes" in Manage E-mail notifications page. |
|
(0032822) dregad (developer) 2012-09-12 12:01 |
The email_collect_recipients api function should check that each recipient has access to the bug. |
 (0032855)szwagier44 (reporter) 2012-09-18 05:50 |
I've just checked your fix on version 1.2.9 and everything seems to be okey. |
|
(0032856) dregad (developer) 2012-09-18 06:01 |
Thanks for your feedback. |
|
(0035370) dregad (developer) 2013-03-04 11:22 |
CVE-2012-5523 assigned on oss-security mailing list on 2012-11-14 |
 (0036082)grangeway (developer) 2013-04-05 17:56 |
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master-1.2.x 2cc83ca9
Timestamp: 2012-09-12 08:48:17 Author: dregad [ Details ] [ Diff ] |
Don't send email notices for a bug to which users have no access Prior to this, users without viewer access to a bug could potentially receive email notifications for it. This could happen in case of permissions changes, or if an issue is moved to another project with different access rights. Added an access level check to exclude users who don't have at least VIEWER privilege to the bug. Fixes 0014704 |
||
| mod - core/email_api.php | [ Diff ] [ File ] | ||
|
MantisBT: master 2d815440
Timestamp: 2012-09-12 08:48:17 Author: dregad [ Details ] [ Diff ] |
Don't send email notices for a bug to which users have no access Prior to this, users without viewer access to a bug could potentially receive email notifications for it. This could happen in case of permissions changes, or if an issue is moved to another project with different access rights. Added an access level check to exclude users who don't have at least VIEWER privilege to the bug. Fixes 0014704 |
||
| mod - core/email_api.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2012-09-11 14:37 | szwagier44 | New Issue | |
| 2012-09-12 04:54 | dregad | Note Added: 0032821 | |
| 2012-09-12 04:54 | dregad | Status | new => acknowledged |
| 2012-09-12 12:01 | dregad | Note Added: 0032822 | |
| 2012-09-12 12:01 | dregad | Assigned To | => dregad |
| 2012-09-12 12:01 | dregad | Status | acknowledged => assigned |
| 2012-09-12 12:01 | dregad | Category | email => security |
| 2012-09-12 12:01 | dregad | Target Version | => 1.2.12 |
| 2012-09-12 12:01 | dregad | Changeset attached | => MantisBT master-1.2.x 2cc83ca9 |
| 2012-09-12 12:01 | dregad | Status | assigned => resolved |
| 2012-09-12 12:01 | dregad | Resolution | open => fixed |
| 2012-09-12 12:01 | dregad | Fixed in Version | => 1.2.12 |
| 2012-09-12 12:02 | dregad | Changeset attached | => MantisBT master 2d815440 |
| 2012-09-18 05:50 | szwagier44 | Note Added: 0032855 | |
| 2012-09-18 06:01 | dregad | Note Added: 0032856 | |
| 2012-11-10 18:54 | dregad | Status | resolved => closed |
| 2013-03-04 11:22 | dregad | Note Added: 0035370 | |
| 2013-03-04 11:22 | dregad | Summary | Clone and Move issue with Copy bug notes - user get email notice from project without access => CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access |
| 2013-04-05 17:56 | grangeway | Status | closed => acknowledged |
| 2013-04-05 17:56 | grangeway | Note Added: 0036082 | |
| 2013-04-05 19:42 | grangeway | Relationship added | related to 0015721 |
| 2013-04-06 03:40 | dregad | Status | acknowledged => closed |
| 2013-04-06 07:23 | grangeway | Status | closed => acknowledged |
| 2013-04-06 09:22 | dregad | Tag Attached: 2.0.x check | |
| 2013-04-06 09:23 | dregad | Status | acknowledged => closed |
|
Issue History |
| MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.1204 seconds. memory usage: 2,832 KB |
|