View Issue Details

IDProjectCategoryView StatusLast Update
0019873mantisbtsecuritypublic2016-08-15 09:02
ReporterwkarlAssigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.19 
Target Version1.2.20Fixed in Version1.2.20 
Summary0019873: CVE-2015-5059: documentation in private projects can be seen by every user
Description

While you can't see them on the proj_doc_page if you don't have access, the project documentation links follow a simple scheme:

https://<server>/file_download.php?file_id=1&type=doc

By trying different file_id numbers you can download every project documentation, even in projects that you don't have access to.

Steps To Reproduce

Upload project documentation files in one project and try to use their url with a different user without access.

TagsNo tags attached.

Relationships

has duplicate 0020109 closeddregad CVE-2015-5059: documentation in private projects can be seen by every user 

Activities

dregad

dregad

2015-06-23 06:11

developer   ~0050963

Hello

I am not able to reproduce the behavior you describe on 1.2.19 (or 1.3.x).

When trying to open a file using the download URL without being logged in (anonymous user), or with a user having access level < $g_view_proj_doc_threshold, I'm getting the expected "Access Denied" error.

It's also worth mentioning that this feature is deprecated.

wkarl

wkarl

2015-06-23 08:56

reporter   ~0050964

Well Ok, my wording "every user" is wrong. But "every user with access level < $g_view_proj_doc_threshold" can download other projects' documentation.

We have hundreds of different projects, all of them are private. $g_view_proj_doc_threshold is on its default, ANYBODY. And we would like to have anybody view the own project's documentation - but not other's project's documentation.

It seems so easy to achieve. The mantis_project_file_table has the field project_id, a simple query if the user has access to this project seems to do the job...

dregad

dregad

2015-06-23 11:02

developer   ~0050965

I see what you mean now, and indeed I can reproduce the problem.

That being said, ANYBODY means, well... anybody. If you want to restrict access to users who are members of the project, I believe setting

$g_view_proj_doc_threshold = VIEWER;

should do the trick. Let me know how it goes.

I guess you might argue that the system behavior with the default ANYBODY setting is counterintuitive... maybe we should change that to VIEWER.

wkarl

wkarl

2015-06-24 02:12

reporter   ~0050967

ANYBODY is pretty OK for me. We want viewers to be able to view the project documentation. But restricted to their own projects. Not anybody's projects.

Once again, our projects are all private and nobody should be able to download documentation of projects that they don't have access to on any other page.

You seem to aim at that too because the proj_doc_page.php shows only documentation of projects that you have access to. But you can GUESS the other projects' documentation links very easy if you know one link for your own project.

Would you like me to provide a patch?

dregad

dregad

2015-06-24 02:53

developer   ~0050968

Thanks for proposing to provide a patch, but this is not needed at this time.

Could you please provide feedback on whether the system behaves as per your expectations when $g_view_proj_doc_threshold = VIEWER ?

wkarl

wkarl

2015-06-24 02:55

reporter   ~0050969

Oooooh,

access_compare_level returns TRUE because FALSE >= ANYBODY ...

wkarl

wkarl

2015-06-24 03:02

reporter   ~0050971

Almost simultaneous feedback. Be right back.

wkarl

wkarl

2015-06-24 03:45

reporter   ~0050972

dregad, with $g_view_proj_doc_threshold = VIEWER everything works as we expect.

Please communicate internally that the config_defaults_inc.php value for $g_view_proj_doc_threshold poses a security hole. Maybe you should evaluate other places where ANYBODY is used.

Thank you for your assistance. Please close issue.

dregad

dregad

2015-06-24 04:41

developer   ~0050973

Thanks for the feedback.

I'll patch the default value in config_defaults_inc.php and request a CVE ID to track the information disclosure issue.

dregad

dregad

2015-06-24 19:06

developer   ~0050978

CVE request: http://article.gmane.org/gmane.comp.security.oss.general/17143

dregad

dregad

2015-06-25 03:11

developer   ~0050979

CVE assignment: http://article.gmane.org/gmane.comp.security.oss.general/17146

Related Changesets

MantisBT: master-1.2.x f39cf525

2015-06-24 08:52:36

dregad

Details Diff
Change default threshold to view project doc to VIEWER

Previously it was ANYBODY, which would let any user download files from
any project including private ones, even when they are not part of the
team.

Backport from a4be76d6e5c4939545d84712c79d3f8f4a108c4f

Fixes 0019873
mod - config_defaults_inc.php Diff File

MantisBT: master a4be76d6

2015-06-24 08:52:36

dregad

Details Diff
Change default threshold to view project doc to VIEWER

Previously it was ANYBODY, which would let any user download files from
any project including private ones, even when they are not part of the
team.

Fixes 0019873
mod - config_defaults_inc.php Diff File

Issue History

Date Modified Username Field Change
2015-06-23 02:09 wkarl New Issue
2015-06-23 06:11 dregad Assigned To => dregad
2015-06-23 06:11 dregad Status new => resolved
2015-06-23 06:11 dregad Resolution open => unable to reproduce
2015-06-23 06:11 dregad Note Added: 0050963
2015-06-23 08:56 wkarl Note Added: 0050964
2015-06-23 11:02 dregad Status resolved => feedback
2015-06-23 11:02 dregad Resolution unable to reproduce => reopened
2015-06-23 11:02 dregad Summary project documentation can be seen by every user => documentation in private projects can be seen by every user
2015-06-23 11:02 dregad Note Added: 0050965
2015-06-24 02:12 wkarl Note Added: 0050967
2015-06-24 02:12 wkarl Status feedback => assigned
2015-06-24 02:53 dregad Status assigned => feedback
2015-06-24 02:53 dregad Note Added: 0050968
2015-06-24 02:55 wkarl Note Added: 0050969
2015-06-24 02:55 wkarl Status feedback => assigned
2015-06-24 03:02 wkarl Note Added: 0050971
2015-06-24 03:45 wkarl Note Added: 0050972
2015-06-24 04:41 dregad Note Added: 0050973
2015-06-24 18:58 dregad Changeset attached => MantisBT master-1.2.x f39cf525
2015-06-24 18:58 dregad Status assigned => resolved
2015-06-24 18:58 dregad Fixed in Version => 1.2.20
2015-06-24 18:59 dregad Changeset attached => MantisBT master a4be76d6
2015-06-24 19:02 dregad Priority normal => high
2015-06-24 19:02 dregad Target Version => 1.2.20
2015-06-24 19:06 dregad Note Added: 0050978
2015-06-25 02:31 atrol Resolution reopened => fixed
2015-06-25 03:11 dregad Summary documentation in private projects can be seen by every user => CVE-2015-5059: documentation in private projects can be seen by every user
2015-06-25 03:11 dregad Note Added: 0050979
2015-09-14 03:26 dregad Issue cloned: 0020109
2015-09-14 03:26 dregad Relationship added has duplicate 0020109
2016-08-15 09:02 dregad Status resolved => closed