View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0015258 | mantisbt | security | public | 2012-12-05 04:00 | 2014-09-23 18:05 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.12 | ||||
Target Version | 1.2.13 | Fixed in Version | 1.2.13 | ||
Summary | 0015258: CVE-2013-1811 Reporter can change issue status to 'new' | ||||
Description | In the view issue details page, a user with Reporter privilege has access to the "Change Status To" button and related selection list, allowing them to change the issue's status to NEW (see attached screenshot) | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
Attached Files | |||||
related to | 0015721 | closed | grangeway | Functionality to consider porting to master-2.0.x |
has duplicate | 0016737 | closed | dregad | Reporter is able to modify the status of any public issue to new issue |
related to | 0015260 | closed | dregad | access_get_status_threshold() returns incorrect value for NEW |
related to | 0015530 | closed | dregad | [Issue view] Many of the bug options have disappeared for updaters |
related to | 0016376 | closed | dregad | Not able to change status without having update issue rights |
related to | 0016625 | closed | dregad | Allow reporter to close does not seem to work |
MantisBT: master-1.2.x 179bfc01 2012-12-06 03:33 Details Diff |
access_get_status_threshold() returns incorrect value for NEW When the user's access level is below $g_update_bug_status_threshold and the status to change to is NEW, the function returned the incorrect access level, preventing user from accessing the target status when updating bugs, even though the workflow permits it. This commit fixes the problem by introducing special handling for NEW status ('bug_submit_status'), in which case the function returns 'report_bug_threshold' otherwise it falls back to default 'update_bug_status_threshold'. Fixes 0015260, affects issue 0015258 |
Affected Issues 0015258, 0015260 |
|
mod - core/access_api.php | Diff File | ||
MantisBT: master 53844e36 2012-12-06 03:33 Details Diff |
access_get_status_threshold() returns incorrect value for NEW When the user's access level is below $g_update_bug_status_threshold and the status to change to is NEW, the function returned the incorrect access level, preventing user from accessing the target status when updating bugs, even though the workflow permits it. This commit fixes the problem by introducing special handling for NEW status ('bug_submit_status'), in which case the function returns 'report_bug_threshold' otherwise it falls back to default 'update_bug_status_threshold'. Fixes 0015260, affects issue 0015258 |
Affected Issues 0015258, 0015260 |
|
mod - core/access_api.php | Diff File | ||
MantisBT: master-1.2.x c8813734 2012-12-06 03:39 Details Diff |
Prevent reporters from changing issue status to 'new' Due to a missing access level check in html_button_bug_update(), in some cases reporters had access to the 'Change Status To' button, which could let them change an existing issue's status to 'new' (even if not their own issue). The code now checks that the user has at least 'update_bug_threshold' permissions to display the button. Fixes 0015258 |
Affected Issues 0015258 |
|
mod - core/html_api.php | Diff File | ||
MantisBT: master 53282ac6 2012-12-06 03:39 Details Diff |
Prevent reporters from changing issue status to 'new' Due to a missing access level check in html_button_bug_update(), in some cases reporters had access to the 'Change Status To' button, which could let them change an existing issue's status to 'new' (even if not their own issue). The code now checks that the user has at least 'update_bug_threshold' permissions to display the button. Fixes 0015258 |
Affected Issues 0015258 |
|
mod - core/html_api.php | Diff File | ||
MantisBT: master-1.2.x e074efde 2013-09-14 00:38 Details Diff |
Use correct threshold for display of Change status list+button Fix for issue 0015258 introduced a check for 'update_bug_threshold' to prevent unauthorized users from changing issue status. This was not the correct config setting to use, the right one is 'update_bug_status_threshold'. Fixes 0016376 |
Affected Issues 0015258, 0016376 |
|
mod - core/html_api.php | Diff File | ||
MantisBT: master d5da1d24 2013-09-14 00:38 Details Diff |
Use correct threshold for display of Change status list+button Fix for issue 0015258 introduced a check for 'update_bug_threshold' to prevent unauthorized users from changing issue status. This was not the correct config setting to use, the right one is 'update_bug_status_threshold'. Fixes 0016376 |
Affected Issues 0015258, 0016376 |
|
mod - core/html_api.php | Diff File |