0014016: CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0014016	mantisbt	security	public	2012-03-07 16:59	2014-09-23 18:05

Reporter	atrol	Assigned To	atrol
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.9
Target Version	1.2.11	Fixed in Version	1.2.11

Summary	0014016: CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment
Description	In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF; The issue should be fixed along with related issue 0014015 As long as the related issue is not fixed, you have to set update_bug_threshold = REPORTER to get no issues when setting allow_delete_own_attachments = ON But this means that even reporters might be able to remove attachments of other users. If allow_delete_own_attachments is set to ON you will not get the link to delete the attachments of other users, but there is no code which prevents the deletion when using the link via browser.
Steps To Reproduce	Set $g_form_security_validation = OFF; Create private project P1 Create user DEV with access level DEVELOPER for project P1 Create user UPD with access level UPDATER for project P1 Login as DEV and report an issue # 1 for project P1 with attachment Login as UPD and add another attachment to issue # 1 Hover over the attachments to see the file_id's of attachments Enter in your browser http://<MantisRoot>/bug_file_delete.php?file_id=<IdOfAnyAttachment>
Tags	No tags attached.

dhx 2012-06-02 07:26 reporter ~0031978	Thanks for the perfect bug report Roland! I have applied a patch (ceafe6f) for this embarrassing problem in master-1.2.x and master.

atrol 2012-06-03 07:44 developer ~0031990 Last edited: 2012-06-03 07:47	The following line in function mc_issue_attachment_delete is wrong $t_attachment_owner = file_get_field( $f_file_id, 'user_id' ); $f_file_id is not defined at this place. Should be $p_issue_attachment_id I will provide a fix for it.

dhx 2012-06-09 06:00 reporter ~0032049 Last edited: 2012-06-09 07:49	http://www.openwall.com/lists/oss-security/2012/06/09/1 https://bugs.gentoo.org/show_bug.cgi?id=420375 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676783

dhx 2012-06-12 04:46 reporter ~0032077	CVE-2012-2692

grangeway 2013-04-05 17:56 reporter ~0036083	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

MantisBT: master f82f98cc 2012-06-02 00:10 dhx Details Diff	Fix 0014016: delete_attachments_threshold is not checked Roland Becker (MantisBT developer) reported the following security/access control bug: In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF. MantisBT was not checking the access level of the user requesting deletion of an attachment to an issue against $g_delete_attachments_threshold. The new access control logic for deleting an issue attachment is now: 1. Does the user have an access level of at least update_bug_threshold? 2. If the user is the owner of the file and $g_allow_delete_own_attachments=OFF, does this user have an access level of at least delete_attachments_threshold? 3. If the user is not the owner of the file, do they have an access level of at least delete_attachments_threshold? Also refer to issue 0014015 for discussion on whether update_bug_threshold should be part of the access control logic. The relevant SOAP API call has also been updated. Conflicts: bug_file_delete.php		Affected Issues 0014015, 0014016
	mod - api/soap/mc_issue_attachment_api.php		Diff File
	mod - bug_file_delete.php		Diff File
MantisBT: master-1.2.x ceafe6f0 2012-06-02 00:10 dhx Details Diff	Fix 0014016: delete_attachments_threshold is not checked Roland Becker (MantisBT developer) reported the following security/access control bug: In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF. MantisBT was not checking the access level of the user requesting deletion of an attachment to an issue against $g_delete_attachments_threshold. The new access control logic for deleting an issue attachment is now: 1. Does the user have an access level of at least update_bug_threshold? 2. If the user is the owner of the file and $g_allow_delete_own_attachments=OFF, does this user have an access level of at least delete_attachments_threshold? 3. If the user is not the owner of the file, do they have an access level of at least delete_attachments_threshold? Also refer to issue 0014015 for discussion on whether update_bug_threshold should be part of the access control logic. The relevant SOAP API call has also been updated.		Affected Issues 0014015, 0014016
	mod - api/soap/mc_issue_attachment_api.php		Diff File
	mod - bug_file_delete.php		Diff File
MantisBT: master 31d11568 2012-06-02 00:35 dhx Details Diff	Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue 0014016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely.		Affected Issues 0014015, 0014016
	mod - api/soap/mc_issue_attachment_api.php		Diff File
	mod - bug_file_delete.php		Diff File
MantisBT: master-1.2.x 628e9370 2012-06-02 00:35 dhx Details Diff	Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue 0014016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely. Conflicts: bug_file_delete.php		Affected Issues 0014015, 0014016
	mod - api/soap/mc_issue_attachment_api.php		Diff File
	mod - bug_file_delete.php		Diff File
MantisBT: master-1.2.x c9314184 2012-06-03 00:51 atrol Details Diff	Additional patch to fix 0014016 First patch to fix the issue introduced access to undefined variable.		Affected Issues 0014016
	mod - api/soap/mc_issue_attachment_api.php		Diff File
MantisBT: master 75568c53 2012-06-03 00:53 atrol Details Diff	Additional patch to fix 0014016 First patch to fix the issue introduced access to undefined variable.		Affected Issues 0014016
	mod - api/soap/mc_issue_attachment_api.php		Diff File