Issues with no security advisories

Mantis Manual

Issues with no security advisories
Last Modified: February 29, 2004 16:02PM

(Any)

Description

This page summarizes the security issues for which no security advisories were released. These can be very old issues, or issues for which we did not release advisories yet.

Private bugnotes are visible to users without appropriate access
See bug #3596. This was fixed in 0.18.2.

In print_all_bug_page.php, users can see all bugs for all projects if they do not have access to any projects
See bug #3445. This was fixed in 0.18.1.

Developers can delete bugs even when g_allow_bug_delete_access_level is set to MANAGER

Applies to 0.17.2, 0.17.3, 0.17.4, 0.17.4a
Reported by: rafmet (rafmet@ais.pl) via our bugtracker
Although the developer does not see the 'Delete Bug' link, the developer can still delete the bug by visting the 'bug_delete_page.php?f_id=[BUG_ID]' url.
For more details see bug #2360.

Users with no permission see bugs from private projects

Applies to 0.17.3, 0.17.4, 0.17.4a (fixed in 0.17.5).
Steps to reproduce:

Set all projects to private.
Create a public bug in one of the projects.
Create a new user with no access to these private projects.
Login with the new account and select 'All projects' and view the buglist.
For more details see bug #2341.

Admin Scipts - Warning

Affects: all versions

As of 0.18.0a1, the admin_* scripts are moved into admin/ folder. After installating or upgrading to 0.18.0, remove this folder or disable access rights for web users.

For versions before 0.18.0a1, you will need to do the same to admin_*.php files in the main Mantis folder.

SQL Poisoning - Security Hole

Affects: all versions prior to 0.18.0a1.

Mantis is susceptible to SQL poisoning. The worst is a case where a user can obtain administrator privileges. Users are encouraged to upgrade or close access to untrusted users. (2002-05-25)

File Uploads - Security Hole

Affects: version prior to 0.15.11 using file uploads.

Files were not being checked for their permissions. By default many Apache installations create /tmp/ directory files as world executable (777). Files are now umasked before being copied.

File Uploads - Security Hole

Affects version prior to 0.15.6 using file uploads.

A user may be able to gain read access to any file on your server. The release requries you to have PHP 3.0.17 or higher.

Show Source - Warning

Letting users see the complete source can be a security hazard. This can happen if you set $g_show_source to something other than 0 or 1. Users can replace the f_url in the URL with any file available on the system. It is encouraged that you turn $g_show_source to OFF on a production system.

Show Source feature was removed from 0.18.0a4 and later.

Passwords - Information

Currently passwords can be run through crypt() or md5() functions before being stored. crypt() and md5() are one way functions; this means that you cannot obtain the original password from the crypted or md5ed password. This ensures that the user passwords are not readable should the database be cracked into (Note: this doesn't mean they are uncrackable, enough time and processing power and brute force will reveal most passwords). However, your username and password are most likely being transmitted in clear text. You will have to use a ssl (https) connection to protect transmission.

User Contributed Notes
Issues with no security advisories

There are no user contributed notes for this page.

Last updated: Wed, 20 Aug 2008 - 9:53:02