View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017243 | mantisbt | security | public | 2014-04-23 15:06 | 2014-12-22 08:21 |
Reporter | grangeway | Assigned To | rombert | ||
Priority | urgent | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.17 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017243: CVE-2014-8553: SOAP API: leak of user personal information | ||||
Description | Originally reported by @grangeway. Multiple functions invoke the utility function mci_account_get_array_by_id, which in turns returns the user's personal data without checking for configuration or access levels. The following SOAP methods can be invoked to gather personal information:
| ||||
Tags | No tags attached. | ||||
Attached Files | 0001-SOAP-API-apply-access-control-to-mci_account_get_arr.patch (2,515 bytes)
From 3ae0f7dab83de913594e382ab1bc71b59136ede0 Mon Sep 17 00:00:00 2001 From: Robert Munteanu <rmuntean@adobe.com> Date: Wed, 30 Apr 2014 22:42:22 +0300 Subject: [PATCH] SOAP API: apply access control to mci_account_get_array_by_id The access controls are the same as the ones applied by view_user_page.php, with the single addition of making the info available if the user requests their own information. This preserves the behaviour of the mc_login method call. Fixes #17243: SOAP API: information leak regarding user personal information --- api/soap/mc_account_api.php | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/api/soap/mc_account_api.php b/api/soap/mc_account_api.php index 83ed264..6b97b95 100644 --- a/api/soap/mc_account_api.php +++ b/api/soap/mc_account_api.php @@ -11,18 +11,35 @@ function mci_account_get_array_by_id( $p_user_id ) { $t_result['id'] = $p_user_id; if( user_exists( $p_user_id ) ) { + + $t_current_user_id = auth_get_current_user_id(); + $t_access_level = user_get_field ( auth_get_current_user_id(), 'access_level' ); + $t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) && + access_has_global_level( $t_access_level ); + + // this deviates from the behaviour of view_user_page.php, but it is more intuitive + $t_is_same_user = $t_current_user_id === $p_user_id; + + $t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) ); + $t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) ); + $t_result['name'] = user_get_field( $p_user_id, 'username' ); - $t_dummy = user_get_field( $p_user_id, 'realname' ); - if( !empty( $t_dummy ) ) { - $t_result['real_name'] = $t_dummy; - } + if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) { + $t_dummy = user_get_field( $p_user_id, 'realname' ); + + if( !empty( $t_dummy ) ) { + $t_result['real_name'] = $t_dummy; + } + } - $t_dummy = user_get_field( $p_user_id, 'email' ); + if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) { + $t_dummy = user_get_field( $p_user_id, 'email' ); - if( !empty( $t_dummy ) ) { - $t_result['email'] = $t_dummy; - } + if( !empty( $t_dummy ) ) { + $t_result['email'] = $t_dummy; + } + } } return $t_result; } -- 1.8.4.5 0001-SOAP-API-apply-access-control-to-mci_account_get_arr-2.patch (2,497 bytes)
From e53673e8dfba3890e0d57312351d794babce56b2 Mon Sep 17 00:00:00 2001 From: Robert Munteanu <rmuntean@adobe.com> Date: Wed, 30 Apr 2014 22:42:22 +0300 Subject: [PATCH] SOAP API: apply access control to mci_account_get_array_by_id The access controls are the same as the ones applied by view_user_page.php, with the single addition of making the info available if the user requests their own information. This preserves the behaviour of the mc_login method call. Fixes #17243: SOAP API: information leak regarding user personal information --- api/soap/mc_account_api.php | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/api/soap/mc_account_api.php b/api/soap/mc_account_api.php index 83ed264..999e017 100644 --- a/api/soap/mc_account_api.php +++ b/api/soap/mc_account_api.php @@ -11,18 +11,35 @@ function mci_account_get_array_by_id( $p_user_id ) { $t_result['id'] = $p_user_id; if( user_exists( $p_user_id ) ) { + + $t_current_user_id = auth_get_current_user_id(); + $t_access_level = user_get_field ( $t_current_user_id, 'access_level' ); + $t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) && + access_has_global_level( $t_access_level ); + + # this deviates from the behaviour of view_user_page.php, but it is more intuitive + $t_is_same_user = $t_current_user_id === $p_user_id; + + $t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) ); + $t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) ); + $t_result['name'] = user_get_field( $p_user_id, 'username' ); - $t_dummy = user_get_field( $p_user_id, 'realname' ); - if( !empty( $t_dummy ) ) { - $t_result['real_name'] = $t_dummy; - } + if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) { + $t_realname = user_get_realname( $p_user_id ); + + if( !empty( $t_realname ) ) { + $t_result['real_name'] = $t_realname; + } + } - $t_dummy = user_get_field( $p_user_id, 'email' ); + if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) { + $t_email = user_get_email( $p_user_id ); - if( !empty( $t_dummy ) ) { - $t_result['email'] = $t_dummy; - } + if( !empty( $t_email ) ) { + $t_result['email'] = $t_email; + } + } } return $t_result; } -- 1.8.4.5 | ||||
From: cve-assign@mitre.org
Use CVE-2014-8553. |
|
MantisBT: master-1.2.x f001e06c 2014-04-30 11:42 Committer: dregad Details Diff |
SOAP API: apply access control to mci_account_get_array_by_id The access controls are the same as the ones applied by view_user_page.php, with the single addition of making the info available if the user requests their own information. This preserves the behaviour of the mc_login method call. Fixes 0017243 (leak of user personal information) Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017243 |
|
mod - api/soap/mc_account_api.php | Diff File | ||
MantisBT: master f779e3d4 2014-04-30 11:42 Committer: dregad Details Diff |
SOAP API: apply access control to mci_account_get_array_by_id The access controls are the same as the ones applied by view_user_page.php, with the single addition of making the info available if the user requests their own information. This preserves the behaviour of the mc_login method call. Fixes 0017243 (leak of user personal information) Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017243 |
|
mod - api/soap/mc_account_api.php | Diff File |