0009321: Users can get title and status of issues that they don't have access to. - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0009321	mantisbt	security	public	2008-07-01 00:03	2008-10-23 09:59

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.1.2
Target Version	1.1.3	Fixed in Version	1.1.3

Summary	0009321: Users can get title and status of issues that they don't have access to.
Description	If the user reference an issue via (# issue number), the issue is converted the hyperlink if the issue exists. However, no verification is done to make sure that the issue is accessible by the current user.
Tags	No tags attached.

vboctor 2008-07-01 00:14 manager ~0018251	Fixed via svn:5384 http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5384&view=rev

jreese 2008-07-01 10:45 reporter ~0018260	I had recently tested a similar fix for the problem. However, my solution was to change string_get_bug_view_link() to only post the bug's summary if the user had access, but to still hyperlink it otherwise, in order to allow anonymous/unlogged users to click the buglink, and then log in to see the bug. It would also still allow the user to see the the bug's status, regardless of access level, although that could easily be changed. I think this could be a better solution to the problem than to not hyperlink the bug at all.

giallu 2008-10-23 09:59 reporter ~0019654	This is now CVE-2008-4688

parent of	0009322	closed	vboctor	Port of 0009321: Users can get title and status of issues that they don't have access to.
has duplicate	0009824	closed	giallu	unauthorized access to issue details
related to	0009252	closed	grangeway	Numeric link to issues tells title and status even if logged in user is not authorized