View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0019873 | mantisbt | security | public | 2015-06-23 02:09 | 2016-08-15 09:02 |
Reporter | wkarl | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.19 | ||||
Target Version | 1.2.20 | Fixed in Version | 1.2.20 | ||
Summary | 0019873: CVE-2015-5059: documentation in private projects can be seen by every user | ||||
Description | While you can't see them on the proj_doc_page if you don't have access, the project documentation links follow a simple scheme: https://<server>/file_download.php?file_id=1&type=doc By trying different file_id numbers you can download every project documentation, even in projects that you don't have access to. | ||||
Steps To Reproduce | Upload project documentation files in one project and try to use their url with a different user without access. | ||||
Tags | No tags attached. | ||||
Hello I am not able to reproduce the behavior you describe on 1.2.19 (or 1.3.x). When trying to open a file using the download URL without being logged in (anonymous user), or with a user having access level < $g_view_proj_doc_threshold, I'm getting the expected "Access Denied" error. It's also worth mentioning that this feature is deprecated. |
|
Well Ok, my wording "every user" is wrong. But "every user with access level < $g_view_proj_doc_threshold" can download other projects' documentation. We have hundreds of different projects, all of them are private. $g_view_proj_doc_threshold is on its default, ANYBODY. And we would like to have anybody view the own project's documentation - but not other's project's documentation. It seems so easy to achieve. The mantis_project_file_table has the field project_id, a simple query if the user has access to this project seems to do the job... |
|
I see what you mean now, and indeed I can reproduce the problem. That being said, ANYBODY means, well... anybody. If you want to restrict access to users who are members of the project, I believe setting $g_view_proj_doc_threshold = VIEWER; should do the trick. Let me know how it goes. I guess you might argue that the system behavior with the default ANYBODY setting is counterintuitive... maybe we should change that to VIEWER. |
|
ANYBODY is pretty OK for me. We want viewers to be able to view the project documentation. But restricted to their own projects. Not anybody's projects. Once again, our projects are all private and nobody should be able to download documentation of projects that they don't have access to on any other page. You seem to aim at that too because the proj_doc_page.php shows only documentation of projects that you have access to. But you can GUESS the other projects' documentation links very easy if you know one link for your own project. Would you like me to provide a patch? |
|
Thanks for proposing to provide a patch, but this is not needed at this time. Could you please provide feedback on whether the system behaves as per your expectations when $g_view_proj_doc_threshold = VIEWER ? |
|
Oooooh, access_compare_level returns TRUE because FALSE >= ANYBODY ... |
|
Almost simultaneous feedback. Be right back. |
|
dregad, with $g_view_proj_doc_threshold = VIEWER everything works as we expect. Please communicate internally that the config_defaults_inc.php value for $g_view_proj_doc_threshold poses a security hole. Maybe you should evaluate other places where ANYBODY is used. Thank you for your assistance. Please close issue. |
|
Thanks for the feedback. I'll patch the default value in config_defaults_inc.php and request a CVE ID to track the information disclosure issue. |
|
CVE request: http://article.gmane.org/gmane.comp.security.oss.general/17143 |
|
CVE assignment: http://article.gmane.org/gmane.comp.security.oss.general/17146 |
|
MantisBT: master-1.2.x f39cf525 2015-06-24 04:52 Details Diff |
Change default threshold to view project doc to VIEWER Previously it was ANYBODY, which would let any user download files from any project including private ones, even when they are not part of the team. Backport from a4be76d6e5c4939545d84712c79d3f8f4a108c4f Fixes 0019873 |
Affected Issues 0019873 |
|
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master a4be76d6 2015-06-24 04:52 Details Diff |
Change default threshold to view project doc to VIEWER Previously it was ANYBODY, which would let any user download files from any project including private ones, even when they are not part of the team. Fixes 0019873 |
Affected Issues 0019873, 0020109 |
|
mod - config_defaults_inc.php | Diff File |