View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017243 | mantisbt | security | public | 2014-04-23 15:06 | 2014-12-22 08:21 |
| Reporter | grangeway | Assigned To | rombert | ||
| Priority | urgent | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.2.17 | ||||
| Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
| Summary | 0017243: CVE-2014-8553: SOAP API: leak of user personal information | ||||
| Description | Originally reported by @grangeway. Multiple functions invoke the utility function mci_account_get_array_by_id, which in turns returns the user's personal data without checking for configuration or access levels. The following SOAP methods can be invoked to gather personal information:
| ||||
| Tags | No tags attached. | ||||
| Attached Files | 0001-SOAP-API-apply-access-control-to-mci_account_get_arr.patch (2,515 bytes)
From 3ae0f7dab83de913594e382ab1bc71b59136ede0 Mon Sep 17 00:00:00 2001
From: Robert Munteanu <rmuntean@adobe.com>
Date: Wed, 30 Apr 2014 22:42:22 +0300
Subject: [PATCH] SOAP API: apply access control to mci_account_get_array_by_id
The access controls are the same as the ones applied by
view_user_page.php, with the single addition of making the info
available if the user requests their own information.
This preserves the behaviour of the mc_login method call.
Fixes #17243: SOAP API: information leak regarding user personal information
---
api/soap/mc_account_api.php | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/api/soap/mc_account_api.php b/api/soap/mc_account_api.php
index 83ed264..6b97b95 100644
--- a/api/soap/mc_account_api.php
+++ b/api/soap/mc_account_api.php
@@ -11,18 +11,35 @@ function mci_account_get_array_by_id( $p_user_id ) {
$t_result['id'] = $p_user_id;
if( user_exists( $p_user_id ) ) {
+
+ $t_current_user_id = auth_get_current_user_id();
+ $t_access_level = user_get_field ( auth_get_current_user_id(), 'access_level' );
+ $t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) &&
+ access_has_global_level( $t_access_level );
+
+ // this deviates from the behaviour of view_user_page.php, but it is more intuitive
+ $t_is_same_user = $t_current_user_id === $p_user_id;
+
+ $t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) );
+ $t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) );
+
$t_result['name'] = user_get_field( $p_user_id, 'username' );
- $t_dummy = user_get_field( $p_user_id, 'realname' );
- if( !empty( $t_dummy ) ) {
- $t_result['real_name'] = $t_dummy;
- }
+ if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) {
+ $t_dummy = user_get_field( $p_user_id, 'realname' );
+
+ if( !empty( $t_dummy ) ) {
+ $t_result['real_name'] = $t_dummy;
+ }
+ }
- $t_dummy = user_get_field( $p_user_id, 'email' );
+ if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) {
+ $t_dummy = user_get_field( $p_user_id, 'email' );
- if( !empty( $t_dummy ) ) {
- $t_result['email'] = $t_dummy;
- }
+ if( !empty( $t_dummy ) ) {
+ $t_result['email'] = $t_dummy;
+ }
+ }
}
return $t_result;
}
--
1.8.4.5
0001-SOAP-API-apply-access-control-to-mci_account_get_arr-2.patch (2,497 bytes)
From e53673e8dfba3890e0d57312351d794babce56b2 Mon Sep 17 00:00:00 2001
From: Robert Munteanu <rmuntean@adobe.com>
Date: Wed, 30 Apr 2014 22:42:22 +0300
Subject: [PATCH] SOAP API: apply access control to mci_account_get_array_by_id
The access controls are the same as the ones applied by
view_user_page.php, with the single addition of making the info
available if the user requests their own information.
This preserves the behaviour of the mc_login method call.
Fixes #17243: SOAP API: information leak regarding user personal information
---
api/soap/mc_account_api.php | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/api/soap/mc_account_api.php b/api/soap/mc_account_api.php
index 83ed264..999e017 100644
--- a/api/soap/mc_account_api.php
+++ b/api/soap/mc_account_api.php
@@ -11,18 +11,35 @@ function mci_account_get_array_by_id( $p_user_id ) {
$t_result['id'] = $p_user_id;
if( user_exists( $p_user_id ) ) {
+
+ $t_current_user_id = auth_get_current_user_id();
+ $t_access_level = user_get_field ( $t_current_user_id, 'access_level' );
+ $t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) &&
+ access_has_global_level( $t_access_level );
+
+ # this deviates from the behaviour of view_user_page.php, but it is more intuitive
+ $t_is_same_user = $t_current_user_id === $p_user_id;
+
+ $t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) );
+ $t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) );
+
$t_result['name'] = user_get_field( $p_user_id, 'username' );
- $t_dummy = user_get_field( $p_user_id, 'realname' );
- if( !empty( $t_dummy ) ) {
- $t_result['real_name'] = $t_dummy;
- }
+ if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) {
+ $t_realname = user_get_realname( $p_user_id );
+
+ if( !empty( $t_realname ) ) {
+ $t_result['real_name'] = $t_realname;
+ }
+ }
- $t_dummy = user_get_field( $p_user_id, 'email' );
+ if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) {
+ $t_email = user_get_email( $p_user_id );
- if( !empty( $t_dummy ) ) {
- $t_result['email'] = $t_dummy;
- }
+ if( !empty( $t_email ) ) {
+ $t_result['email'] = $t_email;
+ }
+ }
}
return $t_result;
}
--
1.8.4.5
| ||||
 |
From: cve-assign@mitre.org
Use CVE-2014-8553. |
|
MantisBT: master-1.2.x f001e06c 2014-04-30 11:42 Committer: dregad Details Diff |
SOAP API: apply access control to mci_account_get_array_by_id The access controls are the same as the ones applied by view_user_page.php, with the single addition of making the info available if the user requests their own information. This preserves the behaviour of the mc_login method call. Fixes 0017243 (leak of user personal information) Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017243 |
|
| mod - api/soap/mc_account_api.php | Diff File | ||
|
MantisBT: master f779e3d4 2014-04-30 11:42 Committer: dregad Details Diff |
SOAP API: apply access control to mci_account_get_array_by_id The access controls are the same as the ones applied by view_user_page.php, with the single addition of making the info available if the user requests their own information. This preserves the behaviour of the mc_login method call. Fixes 0017243 (leak of user personal information) Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017243 |
|
| mod - api/soap/mc_account_api.php | Diff File | ||
