View Issue Details

IDProjectCategoryView StatusLast Update
0014704mantisbtsecuritypublic2014-09-23 18:05
Reporterszwagier44Assigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.9 
Target Version1.2.12Fixed in Version1.2.12 
Summary0014704: CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access
Description

Clone and Move issue with Copy bug notes - user get email notice from project without access

Mantis configuration:
I've got two projects:

  • ProjectA
  • ProjectB

I've got two user:

  • UserA, who has access only to ProjectA
  • Manager, who has access to ProjectA and ProjectB

Steps:

  1. Some user report Issue to ProjectA - IssueA
  2. UserA add note to IssueA
  3. Manager Clone IssueA with option "Copy bug notes" and get new issue - IssueB
  4. Manager move IssueB from ProjectA to ProjectB
  5. Manager add new notes to IssueB

Bug:
Now any action on IssueB eg. add notes, change status causes send email notice to UserA from IssueB. UserA don't have access to IssueB by can read whole history and any notes from email body.

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-09-12 04:54

developer   ~0032821

Good catch.

Until a fix for this can be developed, I can only suggest as a workaround to uncheck "E-mail on Note Added" for "Users who added Issue Notes" in Manage E-mail notifications page.

dregad

dregad

2012-09-12 12:01

developer   ~0032822

The email_collect_recipients api function should check that each recipient has access to the bug.

szwagier44

szwagier44

2012-09-18 05:50

reporter   ~0032855

I've just checked your fix on version 1.2.9 and everything seems to be okey.

dregad

dregad

2012-09-18 06:01

developer   ~0032856

Thanks for your feedback.

dregad

dregad

2013-03-04 11:22

developer   ~0035370

CVE-2012-5523 assigned on oss-security mailing list on 2012-11-14

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036082

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master-1.2.x 2cc83ca9

2012-09-12 08:48:17

dregad

Details Diff
Don't send email notices for a bug to which users have no access

Prior to this, users without viewer access to a bug could potentially
receive email notifications for it. This could happen in case of
permissions changes, or if an issue is moved to another project with
different access rights.

Added an access level check to exclude users who don't have at least
VIEWER privilege to the bug.

Fixes 0014704
mod - core/email_api.php Diff File

MantisBT: master 2d815440

2012-09-12 08:48:17

dregad

Details Diff
Don't send email notices for a bug to which users have no access

Prior to this, users without viewer access to a bug could potentially
receive email notifications for it. This could happen in case of
permissions changes, or if an issue is moved to another project with
different access rights.

Added an access level check to exclude users who don't have at least
VIEWER privilege to the bug.

Fixes 0014704
mod - core/email_api.php Diff File

Issue History

Date Modified Username Field Change
2012-09-11 14:37 szwagier44 New Issue
2012-09-12 04:54 dregad Note Added: 0032821
2012-09-12 04:54 dregad Status new => acknowledged
2012-09-12 12:01 dregad Note Added: 0032822
2012-09-12 12:01 dregad Assigned To => dregad
2012-09-12 12:01 dregad Status acknowledged => assigned
2012-09-12 12:01 dregad Category email => security
2012-09-12 12:01 dregad Target Version => 1.2.12
2012-09-12 12:01 dregad Changeset attached => MantisBT master-1.2.x 2cc83ca9
2012-09-12 12:01 dregad Status assigned => resolved
2012-09-12 12:01 dregad Resolution open => fixed
2012-09-12 12:01 dregad Fixed in Version => 1.2.12
2012-09-12 12:02 dregad Changeset attached => MantisBT master 2d815440
2012-09-18 05:50 szwagier44 Note Added: 0032855
2012-09-18 06:01 dregad Note Added: 0032856
2012-11-10 18:54 dregad Status resolved => closed
2013-03-04 11:22 dregad Note Added: 0035370
2013-03-04 11:22 dregad Summary Clone and Move issue with Copy bug notes - user get email notice from project without access => CVE-2012-5523 Clone and Move issue with Copy bug notes - user get email notice from project without access
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036082
2013-04-05 19:42 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check