MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015453mantisbtsecuritypublic2013-01-31 16:282013-04-12 09:56
ReporterTomR 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.12 
Target Version1.2.15Fixed in Version1.2.15 
Summary0015453: CVE-2013-1930: Close button is shown on webpage despite 'close' is not a valid status by workflow
DescriptionIt seems that te 'Close' button does not respect the workflow status.

In my opinion the 'Close' button should only be visible ( or active ) when 'close' is a valid status ( by workflow )
Tags2.0.x check
Attached Files? file icon config_inc.php [^] (76,022 bytes) 2013-02-05 16:27 [Show Content]

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0035004)
dregad (developer)
2013-02-01 03:18

Could you post your current config to facilitate issue reproduction ?
User avatar (0035043)
TomR (reporter)
2013-02-05 16:26

Posted my config_inc.php

However Workflow is done on a per project base ( and this installations has about 150 projects ).

But be sure that even when status 'closed' is not a valid status ( by workflow for the project ), the close button is shown.
User avatar (0035044)
TomR (reporter)
2013-02-05 16:31

If needed I can supply you with account on development enviroment.
User avatar (0035046)
dregad (developer)
2013-02-06 02:44

Hi Tom,

> However Workflow is done on a per project base ( and this installations has about 150 projects ).

In that case, a screenshot of your workflow settings (or the definition of the corresponding records in mantis_config_table) for a sample project would be useful.
User avatar (0035048)
dregad (developer)
2013-02-06 03:27

Nevermind my request for sample config - I had a look and see what you mean now. I think we're just missing a call to bug_check_workflow.
User avatar (0035049)
TomR (reporter)
2013-02-06 04:09

Thanks dregad, for now wil update my installation with your patch.
User avatar (0035050)
dregad (developer)
2013-02-06 04:38

Let me know if that works as expected (or not)
User avatar (0035051)
TomR (reporter)
2013-02-06 05:34

Dregad, works as expected. ( Patch seems logical to me, I should have been able to tacle this one myself :-)

Thanks for your speedy reply.
User avatar (0036100)
grangeway (developer)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
User avatar (0036537)
dregad (developer)
2013-04-08 05:43

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878 [^]

- Related Changesets
MantisBT: master 562db4f4
Timestamp: 2013-02-06 08:37:22
Author: dregad
Details ] Diff ]
Fix 0015453: Only display Close button if workflow allows Closed status
mod - core/html_api.php Diff ] File ]
MantisBT: master-1.2.x d85e69fe
Timestamp: 2013-02-06 08:37:22
Author: dregad
Details ] Diff ]
Fix 0015453: Only display Close button if workflow allows Closed status
mod - core/html_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-01-31 16:28 TomR New Issue
2013-02-01 03:18 dregad Note Added: 0035004
2013-02-01 03:18 dregad Status new => feedback
2013-02-05 16:26 TomR Note Added: 0035043
2013-02-05 16:26 TomR Status feedback => new
2013-02-05 16:27 TomR File Added: config_inc.php
2013-02-05 16:31 TomR Note Added: 0035044
2013-02-06 02:44 dregad Note Added: 0035046
2013-02-06 02:44 dregad Assigned To => dregad
2013-02-06 02:44 dregad Status new => feedback
2013-02-06 03:27 dregad Note Added: 0035048
2013-02-06 03:27 dregad Status feedback => confirmed
2013-02-06 03:41 dregad Changeset attached => MantisBT master 562db4f4
2013-02-06 03:41 dregad Status confirmed => resolved
2013-02-06 03:41 dregad Resolution open => fixed
2013-02-06 03:41 dregad Fixed in Version => 1.3.x
2013-02-06 03:41 dregad Changeset attached => MantisBT master-1.2.x d85e69fe
2013-02-06 03:46 dregad Fixed in Version 1.3.x => 1.2.15
2013-02-06 03:46 dregad Target Version => 1.2.15
2013-02-06 04:09 TomR Note Added: 0035049
2013-02-06 04:38 dregad Note Added: 0035050
2013-02-06 05:34 TomR Note Added: 0035051
2013-04-05 17:56 grangeway Status resolved => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036100
2013-04-05 19:34 grangeway Relationship added related to 0015721
2013-04-06 03:37 dregad Status acknowledged => resolved
2013-04-06 03:37 dregad Fixed in Version 1.2.15 =>
2013-04-06 03:38 dregad Fixed in Version => 1.2.15
2013-04-06 07:21 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2013-04-08 05:43 dregad Note Added: 0036537
2013-04-08 05:43 dregad Summary Close button is shown on webpage despite 'close' is not a valid status by workflow => CVE-2013-1930: Close button is shown on webpage despite 'close' is not a valid status by workflow
2013-04-12 09:56 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0967 seconds.
memory usage: 3,254 KB
Powered by Mantis Bugtracker