Appendix
Security
Issues with no security advisories
2002-01 SQL poisoning vulnerability in Mantis
2002-02 Limiting output to reporters can be bypassed
2002-03 Bug listings of private projects can be viewed
2002-04 Arbitrary code execution vulnerability in Mantis
2002-05 Arbitrary code execution and file reading
2002-06 Private bugs accessible in Mantis
2004-01 Various vulnerabilities in Mantis
Partner Links
|
2002-07 Bugs in private projects listed on 'View Bugs' Last Modified: December 23, 2006 04:12AM |
| (Mantis 0.17.0 till 0.17.4a) |
|
Description
0. Table of Contents 1. Introduction 2. Summary / Impact analysis 3. Affected versions 4. Workaround / Solution 5. Proof of Vulnerability 6. Credit 7. Contact details 1. Introduction Mantis is an Open Source web-based bugtracking system, written in PHP, which uses the MySQL database server. It is being actively developed by a small group of developers, and is considered to be in the beta stage. 2. Summary / Impact analysis Mantis allows administrators to set certain projects private. This restricts its access to users who have been explicitly added to that project. There was a bug in Mantis which caused the 'View Bugs' page to list bugs from both public and private projects when no projects were accessible to the user. This has been patched in Mantis 0.17.5. 'View Bugs' lists only a summary of the bugs. This does not include additional information such as the steps to reproduce the bug and any bugnotes that may have been added. 3. Affected versions The following versions are affected: Mantis 0.17.4a Mantis 0.17.4 Mantis 0.17.3 Mantis 0.17.2 Mantis 0.17.1 Mantis 0.17.0 4. Workaround / Solution Mantis 0.17.5 patches this problem. Users are suggested to upgrade to this version when possible. If an upgrade is not possible, the following patch (against Mantis 0.17.4a) will close the vulnerability (although uncleanly):
--- mantis-0.17.4a/view_all_bug_page.php Mon Aug 19 07:18:54 2002
+++ mantis-0.17.5/view_all_bug_page.php Fri Aug 23 11:57:50 2002
@@ -90,7 +90,7 @@
$result2 = db_query( $query2 );
$project_count = db_num_rows( $result2 );
if ( 0 == $project_count ) {
- $t_where_clause = " WHERE 1=1";
+ $t_where_clause = " WHERE 0=1";
} else {
$t_where_clause = " WHERE (";
for ($i=0;$i<$project_count;$i++) {
5. Proof of Vulnerability Make all projects private, create a user who does not have access to any of these projects and open the 'View Bugs' page. 6. Credit This vulnerability was reported by Diehl Software through our Bug Tracking System. 7. Contact details The latest version of Mantis is always available from: http://www.mantisbt.org/ The current version is 1.0.6, which can be downloaded from http://www.mantisbt.org/download.php If you have any questions about this vulnerability, or wish to report another, you can contact report it as a private issue on: http://www.mantisbt.org/bugs/ The latest version of this and other advisories can be found at: http://www.mantisbt.org/manual/ |
| User Contributed Notes 2002-07 Bugs in private projects listed on 'View Bugs' |
|
||
| There are no user contributed notes for this page. | |||
| |||