2014-11-26 15:08 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0014704mantisbtsecuritypublic2014-09-23 18:05
Reporterszwagier44 
Assigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.9 
Target Version1.2.12Fixed in Version1.2.12 
Summary0014704: CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access
DescriptionClone and Move issue with Copy bug notes - user get email notice from project without access

Mantis configuration:
I've got two projects:
- ProjectA
- ProjectB

I've got two user:
- UserA, who has access only to ProjectA
- Manager, who has access to ProjectA and ProjectB

Steps:
1. Some user report Issue to ProjectA - IssueA
2. UserA add note to IssueA
3. Manager Clone IssueA with option "Copy bug notes" and get new issue - IssueB
4. Manager move IssueB from ProjectA to ProjectB
5. Manager add new notes to IssueB

Bug:
Now any action on IssueB eg. add notes, change status causes send email notice to UserA from IssueB. UserA don't have access to IssueB by can read whole history and any notes from email body.

TagsNo tags attached.
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
+ Relationships

-  Notes
User avatar

~0032821

dregad (developer)

Good catch.

Until a fix for this can be developed, I can only suggest as a workaround to uncheck "E-mail on Note Added" for "Users who added Issue Notes" in Manage E-mail notifications page.
User avatar

~0032822

dregad (developer)

The email_collect_recipients api function should check that each recipient has access to the bug.
User avatar

~0032855

szwagier44 (reporter)

I've just checked your fix on version 1.2.9 and everything seems to be okey.
User avatar

~0032856

dregad (developer)

Thanks for your feedback.
User avatar

~0035370

dregad (developer)

CVE-2012-5523 assigned on oss-security mailing list on 2012-11-14
User avatar

~0036082

grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2012-09-11 14:37 szwagier44 New Issue
2012-09-12 04:54 dregad Note Added: 0032821
2012-09-12 04:54 dregad Status new => acknowledged
2012-09-12 12:01 dregad Note Added: 0032822
2012-09-12 12:01 dregad Assigned To => dregad
2012-09-12 12:01 dregad Status acknowledged => assigned
2012-09-12 12:01 dregad Category email => security
2012-09-12 12:01 dregad Target Version => 1.2.12
2012-09-12 12:01 dregad Changeset attached => MantisBT master-1.2.x 2cc83ca9
2012-09-12 12:01 dregad Status assigned => resolved
2012-09-12 12:01 dregad Resolution open => fixed
2012-09-12 12:01 dregad Fixed in Version => 1.2.12
2012-09-12 12:02 dregad Changeset attached => MantisBT master 2d815440
2012-09-18 05:50 szwagier44 Note Added: 0032855
2012-09-18 06:01 dregad Note Added: 0032856
2012-11-10 18:54 dregad Status resolved => closed
2013-03-04 11:22 dregad Note Added: 0035370
2013-03-04 11:22 dregad Summary Clone and Move issue with Copy bug notes - user get email notice from project without access => CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036082
2013-04-05 19:42 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
+ Issue History