View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0007364mantisbtsecuritypublic2006-08-17 04:462006-12-08 02:39
Reporterchschulz Assigned Tothraxisp  
PrioritynormalSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version1.0.2 
Fixed in Version1.1.0a2 
Summary0007364: Custom field visible in history independent from user role
Description

We found a - for us - big security problem. We defined some custom fields for a project. One of this custom fields is:

Name: test
Type: Float
Read access: Manager
Write access: Manager

This field is NOT visible for user with roles less than Manager in die normal detail view. But, the big problem is that the field (including the change) is visible in the history of an issue for everyone independent from the user's role.

This is a big security problem. Because we configured it that way, that it is only visible for Manager. But when a "viewer" for example look to the history, the viewer can see that the value of field x was changed to ABC.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0007743 closedvboctor Port: CVE-2006-6574 

Activities

chschulz

chschulz

2006-08-17 04:49

reporter   ~0013280

As additional information: We did not check it but we're sure that the same problem also occurs for the e-mail notification as this contains the history.

In the e-mail notification, also in the history only those field should be available which the user who recevices the notification is able to read.
chschulz

chschulz

2006-08-17 09:15

reporter   ~0013287

The first issue, visibility of custom fields in the history could be fixed by adding the following in history_inc.php:

After the line:
foreach ( $t_history as $t_item ) {

add:

    $t_custom_field_id = custom_field_get_id_from_name($t_item['note']);
    if (!$t_custom_field_id == '') {
        if (custom_field_has_read_access($t_custom_field_id, $f_bug_id)) {

and before the end of the loop, add:

        }
    }

I do not know if this is the best way to fix it, but it works :-)
chschulz

chschulz

2006-08-18 11:44

reporter   ~0013297

I think this solution isn't really good, because there's still the problem that the custom fields will be shown in the e-mail notification.

And also from my perspective, it may be a performance issue. Because fields/information are read from the database that are not really needed...
thraxisp

thraxisp

2006-09-24 19:29

reporter   ~0013483

fixed in CVS
core/history_api.php -> 1.35