View Issue Details

IDProjectCategoryView StatusLast Update
0009321mantisbtsecuritypublic2008-10-23 09:59
ReportervboctorAssigned Tovboctor 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.1.2 
Target Version1.1.3Fixed in Version1.1.3 
Summary0009321: Users can get title and status of issues that they don't have access to.
Description

If the user reference an issue via (# issue number), the issue is converted the hyperlink if the issue exists. However, no verification is done to make sure that the issue is accessible by the current user.

TagsNo tags attached.

Relationships

parent of 0009322 closedvboctor Port of 0009321: Users can get title and status of issues that they don't have access to. 
has duplicate 0009824 closedgiallu unauthorized access to issue details 
related to 0009252 closedgrangeway Numeric link to issues tells title and status even if logged in user is not authorized 

Activities

vboctor

vboctor

2008-07-01 00:14

manager   ~0018251

Fixed via svn:5384
http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5384&view=rev

jreese

jreese

2008-07-01 10:45

reporter   ~0018260

I had recently tested a similar fix for the problem. However, my solution was to change string_get_bug_view_link() to only post the bug's summary if the user had access, but to still hyperlink it otherwise, in order to allow anonymous/unlogged users to click the buglink, and then log in to see the bug. It would also still allow the user to see the the bug's status, regardless of access level, although that could easily be changed.

I think this could be a better solution to the problem than to not hyperlink the bug at all.

giallu

giallu

2008-10-23 09:59

reporter   ~0019654

This is now CVE-2008-4688

Issue History

Date Modified Username Field Change
2008-07-01 00:03 vboctor New Issue
2008-07-01 00:03 vboctor Status new => assigned
2008-07-01 00:03 vboctor Assigned To => vboctor
2008-07-01 00:04 vboctor Issue cloned: 0009322
2008-07-01 00:04 vboctor Relationship added parent of 0009322
2008-07-01 00:14 vboctor Note Added: 0018251
2008-07-01 00:14 vboctor Status @0@ => resolved
2008-07-01 00:14 vboctor Fixed in Version => 1.1.3
2008-07-01 00:14 vboctor Resolution @0@ => fixed
2008-07-01 10:45 jreese Note Added: 0018260
2008-07-01 10:47 jreese Relationship added related to 0009252
2008-10-09 15:43 giallu View Status private => public
2008-10-18 18:32 giallu Status resolved => closed
2008-10-23 09:59 giallu Note Added: 0019654
2008-11-17 10:29 giallu Relationship added has duplicate 0009824