MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015258mantisbtsecuritypublic2012-12-05 04:002014-09-23 18:05
Reporterdregad 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015258: CVE-2013-1811 Reporter can change issue status to 'new'
DescriptionIn the view issue details page, a user with Reporter privilege has access to the "Change Status To" button and related selection list, allowing them to change the issue's status to NEW (see attached screenshot)
Steps To Reproduce- Login as reporter
- View details for an issue > NEW and < RESOLVED
- user can change status to NEW
TagsNo tags attached.
Attached Filespng file icon reporter_change_status_new.png [^] (21,903 bytes) 2012-12-05 04:00

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
has duplicate 0016737closeddregad Reporter is able to modify the status of any public issue to new issue 
related to 0015260closeddregad access_get_status_threshold() returns incorrect value for NEW 
related to 0015530closeddregad [Issue view] Many of the bug options have disappeared for updaters 
related to 0016376closeddregad Not able to change status without having update issue rights 
related to 0016625closeddregad Allow reporter to close does not seem to work 

-  Notes
User avatar (0035363)
dhx (reporter)
2013-03-03 00:41

This was assigned the CVE identifier CVE-2013-1811 on the oss-security mailing list on March 3rd, 2013.
User avatar (0036080)
grangeway (reporter)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master-1.2.x 179bfc01
Timestamp: 2012-12-06 08:33:32
Author: dregad
Details ] Diff ]
access_get_status_threshold() returns incorrect value for NEW

When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.

This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default
'update_bug_status_threshold'.

Fixes 0015260, affects issue 0015258
mod - core/access_api.php Diff ] File ]
MantisBT: master 53844e36
Timestamp: 2012-12-06 08:33:32
Author: dregad
Details ] Diff ]
access_get_status_threshold() returns incorrect value for NEW

When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.

This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default
'update_bug_status_threshold'.

Fixes 0015260, affects issue 0015258
mod - core/access_api.php Diff ] File ]
MantisBT: master-1.2.x c8813734
Timestamp: 2012-12-06 08:39:48
Author: dregad
Details ] Diff ]
Prevent reporters from changing issue status to 'new'

Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes 0015258
mod - core/html_api.php Diff ] File ]
MantisBT: master 53282ac6
Timestamp: 2012-12-06 08:39:48
Author: dregad
Details ] Diff ]
Prevent reporters from changing issue status to 'new'

Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes 0015258
mod - core/html_api.php Diff ] File ]
MantisBT: master-1.2.x e074efde
Timestamp: 2013-09-14 04:38:06
Author: dregad
Details ] Diff ]
Use correct threshold for display of Change status list+button

Fix for issue 0015258 introduced a check for 'update_bug_threshold' to
prevent unauthorized users from changing issue status.

This was not the correct config setting to use, the right one is
'update_bug_status_threshold'.

Fixes 0016376
mod - core/html_api.php Diff ] File ]
MantisBT: master d5da1d24
Timestamp: 2013-09-14 04:38:06
Author: dregad
Details ] Diff ]
Use correct threshold for display of Change status list+button

Fix for issue 0015258 introduced a check for 'update_bug_threshold' to
prevent unauthorized users from changing issue status.

This was not the correct config setting to use, the right one is
'update_bug_status_threshold'.

Fixes 0016376
mod - core/html_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-12-05 04:00 dregad New Issue
2012-12-05 04:00 dregad File Added: reporter_change_status_new.png
2012-12-05 09:06 dregad Status new => confirmed
2012-12-05 12:43 dregad Assigned To => dregad
2012-12-05 12:43 dregad Status confirmed => assigned
2012-12-05 12:49 dregad Relationship added related to 0015260
2012-12-06 03:48 dregad Changeset attached => MantisBT master-1.2.x 179bfc01
2012-12-06 03:48 dregad Changeset attached => MantisBT master-1.2.x c8813734
2012-12-06 03:48 dregad Status assigned => resolved
2012-12-06 03:48 dregad Resolution open => fixed
2012-12-06 03:48 dregad Fixed in Version => 1.2.13
2012-12-06 03:48 dregad Changeset attached => MantisBT master 53844e36
2012-12-06 03:48 dregad Changeset attached => MantisBT master 53282ac6
2013-01-22 09:47 dregad Status resolved => closed
2013-03-03 00:41 dhx Note Added: 0035363
2013-03-04 11:34 dregad Summary Reporter can change issue status to 'new' => CVE-2013-1811 Reporter can change issue status to 'new'
2013-03-04 11:42 dregad Relationship added related to 0015530
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036080
2013-04-05 19:42 grangeway Relationship added related to 0015721
2013-04-06 03:39 dregad Status acknowledged => resolved
2013-04-06 07:21 grangeway Status resolved => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-09-13 15:04 atrol Relationship added related to 0016376
2013-09-14 04:42 dregad Changeset attached => MantisBT master-1.2.x e074efde
2013-09-14 04:42 dregad Changeset attached => MantisBT master d5da1d24
2013-11-19 04:21 dregad Relationship added related to 0016625
2013-12-20 11:08 dregad Relationship added has duplicate 0016737
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1983 seconds.
memory usage: 3,086 KB
Powered by Mantis Bugtracker