| Anonymous | Login | Signup for a new account | 2010-02-09 06:50 EST |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] | [ Issue History ] [ Print ] | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |
| 0009321 | mantisbt | security | public | 2008-07-01 00:03 | 2008-10-23 09:59 | |
| Reporter | vboctor | |||||
| Assigned To | vboctor | |||||
| Priority | normal | Severity | minor | Reproducibility | have not tried | |
| Status | closed | Resolution | fixed | |||
| Platform | OS | OS Version | ||||
| Product Version | 1.1.2 | |||||
| Target Version | 1.1.3 | Fixed in Version | 1.1.3 | |||
| Summary | 0009321: Users can get title and status of issues that they don't have access to. | |||||
| Description | If the user reference an issue via (# issue number), the issue is converted the hyperlink if the issue exists. However, no verification is done to make sure that the issue is accessible by the current user. | |||||
| Tags | No tags attached. | |||||
| Attached Files | ||||||
 Relationships |
||||||||||||||||
|
||||||||||||||||
 Relationships |
|
Notes |
|
 (0018251)vboctor (administrator) 2008-07-01 00:14 |
Fixed via svn:5384 http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5384&view=rev [^] |
 (0018260)jreese (administrator) 2008-07-01 10:45 |
I had recently tested a similar fix for the problem. However, my solution was to change string_get_bug_view_link() to only post the bug's summary if the user had access, but to still hyperlink it otherwise, in order to allow anonymous/unlogged users to click the buglink, and then log in to see the bug. It would also still allow the user to see the the bug's status, regardless of access level, although that could easily be changed. I think this could be a better solution to the problem than to not hyperlink the bug at all. |
 (0019654)giallu (developer) 2008-10-23 09:59 |
This is now CVE-2008-4688 |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2008-07-01 00:03 | vboctor | New Issue | |
| 2008-07-01 00:03 | vboctor | Status | new => assigned |
| 2008-07-01 00:03 | vboctor | Assigned To | => vboctor |
| 2008-07-01 00:04 | vboctor | Issue cloned | 0009322 |
| 2008-07-01 00:04 | vboctor | Relationship added | parent of 0009322 |
| 2008-07-01 00:14 | vboctor | Note Added: 0018251 | |
| 2008-07-01 00:14 | vboctor | Status | @0@ => resolved |
| 2008-07-01 00:14 | vboctor | Fixed in Version | => 1.1.3 |
| 2008-07-01 00:14 | vboctor | Resolution | @0@ => fixed |
| 2008-07-01 10:45 | jreese | Note Added: 0018260 | |
| 2008-07-01 10:47 | jreese | Relationship added | related to 0009252 |
| 2008-10-09 15:43 | giallu | View Status | private => public |
| 2008-10-18 18:32 | giallu | Status | resolved => closed |
| 2008-10-23 09:59 | giallu | Note Added: 0019654 | |
| 2008-11-17 10:29 | giallu | Relationship added | has duplicate 0009824 |
|
Issue History |
| MantisBT 1.2.0rc2 git live[^]
Copyright © 2000 - 2010 MantisBT Group
Time: 0.2320 seconds. memory usage: 1,822 KB |
 |