View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0020277mantisbtsecuritypublic2015-11-16 15:482016-06-12 00:42
Reporteratrol Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0020277: CVE-2014-9759: SOAP API can be used to disclose confidential settings
Description

mc_config_get_string can be used to disclose confidential settings

TagsNo tags attached.
Attached Files
fix-20277.patch (2,036 bytes)    
From 66e3da31089f51429dad402db5a49d97b4864367 Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Mon, 16 Nov 2015 23:15:36 +0100
Subject: [PATCH] Add missing confidential options to function
 config_is_private

Fixes #20277
Thanks @grangeway for pointing out master_crypto_salt vs. crypto_master_salt
some while ago.
---
 core/config_api.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/core/config_api.php b/core/config_api.php
index 8cace8c..20f3a2a 100644
--- a/core/config_api.php
+++ b/core/config_api.php
@@ -690,7 +690,12 @@ function config_is_private( $p_config_var ) {
 		case 'database_name':
 		case 'db_schema':
 		case 'db_type':
-		case 'master_crypto_salt':
+		case 'db_table_prefix':
+		case 'db_table_plugin_prefix':
+		case 'db_table_suffix':
+		case 'use_persistent_connections':
+		case 'dsn':
+		case 'crypto_master_salt':
 		case 'smtp_host':
 		case 'smtp_username':
 		case 'smtp_password':
@@ -702,9 +707,11 @@ function config_is_private( $p_config_var ) {
 		case 'class_path':
 		case 'library_path':
 		case 'language_path':
+		case 'config_path':
 		case 'session_save_path':
 		case 'session_handler':
 		case 'session_validation':
+		case 'form_security_validation':
 		case 'global_settings':
 		case 'system_font_folder':
 		case 'phpMailer_method':
@@ -716,9 +723,12 @@ function config_is_private( $p_config_var ) {
 		case 'ldap_root_dn':
 		case 'ldap_organization':
 		case 'ldap_uid_field':
+		case 'ldap_realname_field':
 		case 'ldap_bind_dn':
 		case 'ldap_bind_passwd':
 		case 'use_ldap_email':
+		case 'use_ldap_realname':
+		case 'ldap_simulation_file_path':
 		case 'ldap_protocol_version':
 		case 'login_method':
 		case 'cookie_path':
@@ -732,6 +742,7 @@ function config_is_private( $p_config_var ) {
 		case 'log_destination':
 		case 'dot_tool':
 		case 'neato_tool':
+		case 'debug_email':
 			return true;
 
 		# Marked obsolete in 1.3.0dev - keep here to make sure they are not disclosed by soap api.
-- 
2.4.9 (Apple Git-60)
fix-20277.patch (2,036 bytes)   
config_names.txt (3,152 bytes)    
/**
 * The following list of configuration options is used to check if it is
 * allowed to query a specific configuration option by SOAP API
 * @global array $g_public_config_names
 */
$g_public_config_names = array(
	'allow_signup', 'max_failed_login_count',
	'notify_new_user_created_threshold_min', 
	'signup_use_captcha', 'lost_password_feature',
	'max_lost_password_in_progress_count', 'antispam_max_event_count',
	'antispam_time_window_in_seconds', 'webmaster_email',
	'from_email', 'from_name', 'return_path_email',
	'enable_email_notification','notify_flags', 'email_receive_own',
	'validate_email','check_mx_record', 'allow_blank_email',
	'show_user_email_threshold', 'show_user_realname_threshold',
	'mail_priority', 'email_separator1','email_separator2',
	'email_padding_length', 'show_version', 'version_suffix',
	'copyright_statement', 'default_language','fallback_language',
	'window_title', 'webmaster_email','favicon_image', 'logo_image',
	'logo_url', 'enable_project_documentation','show_footer_menu',
	'show_project_menu_bar', 'show_assigned_names',
	'show_priority_text', 'priority_significant_threshold',
	'severity_significant_threshold', 'show_bug_project_links',
	'status_legend_position', 'status_percentage_legend',
	'filter_position', 'action_button_position','show_product_version',
	'show_version_dates_threshold', 'show_realname',
	'differentiate_duplicates', 'sort_by_last_name','show_avatar',
	'show_avatar_threshold', 'show_changelog_dates',
	'show_roadmap_dates', 'cookie_time_length',
	'allow_permanent_cookie', 'long_process_timeout',
	'short_date_format', 'normal_date_format',
	'complete_date_format', 'calendar_js_date_format',
	'calendar_date_format', 'default_timezone', 'news_enabled',
	'news_limit_method', 'news_view_limit','news_view_limit_days',
	'private_news_threshold', 'default_new_account_access_level',
	'default_project_view_status', 'default_bug_view_status',
	'default_bug_steps_to_reproduce', 'default_bug_additional_info',
	'default_bugnote_view_status', 'default_bug_resolution',
	'default_bug_severity', 'default_bug_priority',
	'default_bug_reproducibility', 'default_bug_projection',
	'default_bug_eta', 'default_bug_relationship_clone',
	'default_bug_relationship', 'default_category_for_moves',
	'default_limit_view', 'default_show_changed',
	'hide_status_default', 'show_sticky_issues',
	'min_refresh_delay', 'default_refresh_delay',
	'default_redirect_delay', 'default_bugnote_order',
	'default_email_on_new', 'default_email_on_assigned',
	'default_email_on_feedback', 'default_email_on_resolved',
	'default_email_on_closed', 'default_email_on_reopened',
	'default_email_on_bugnote', 'default_email_on_status',
	'default_email_on_priority', 'default_email_on_new_minimum_severity',
	'default_email_on_assigned_minimum_severity',
	'default_email_on_feedback_minimum_severity',
	'default_email_on_resolved_minimum_severity',
	'default_email_on_closed_minimum_severity',
	'default_email_on_reopened_minimum_severity',
	'default_email_on_bugnote_minimum_severity',
	'default_email_on_status_minimum_severity',
	'default_email_on_priority_minimum_severity',
	'default_email_bugnote_limit', 
);
config_names.txt (3,152 bytes)   
fix-20277-2.patch (14,130 bytes)    
From b858790ae3d1d17b4bfab46d29b3a3094360650e Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Wed, 23 Dec 2015 20:32:10 +0100
Subject: [PATCH] Implement a white list of options that can be accessed via
 SOAP API

Fixes #20277
---
 config_defaults_inc.php                       | 347 ++++++++++++++++++++++++++
 core/config_api.php                           |  63 +----
 docbook/Admin_Guide/en-US/config/settings.xml |   6 +
 3 files changed, 356 insertions(+), 60 deletions(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 780fd1f..62568ec 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -4265,6 +4265,353 @@ $g_global_settings = array(
 	'cdn_enabled'
 );
 
+/**
+ * The following list of configuration options is used to check if it is
+ * allowed to query a specific configuration option via SOAP API.
+ * @global array $g_public_config_names
+ */
+$g_public_config_names = array(
+	'access_levels_enum_string',
+	'action_button_position',
+	'add_bugnote_threshold',
+	'add_profile_threshold',
+	'admin_site_threshold',
+	'allow_account_delete',
+	'allow_anonymous_login',
+	'allow_blank_email',
+	'allow_delete_own_attachments',
+	'allow_download_own_attachments',
+	'allow_file_upload',
+	'allow_freetext_in_profile_fields',
+	'allow_no_category',
+	'allow_permanent_cookie',
+	'allow_reporter_close',
+	'allow_reporter_reopen',
+	'allow_reporter_upload',
+	'allow_signup',
+	'allowed_files',
+	'anonymous_account',
+	'antispam_max_event_count',
+	'antispam_time_window_in_seconds',
+	'assign_sponsored_bugs_threshold',
+	'auto_set_status_to_assigned',
+	'backward_year_count',
+	'bottom_include_page',
+	'bug_assigned_status',
+	'bug_closed_status_threshold',
+	'bug_count_hyperlink_prefix',
+	'bug_duplicate_resolution',
+	'bug_feedback_status',
+	'bug_link_tag',
+	'bug_list_cookie',
+	'bug_readonly_status_threshold',
+	'bug_reminder_threshold',
+	'bug_reopen_resolution',
+	'bug_reopen_status',
+	'bug_resolution_fixed_threshold',
+	'bug_resolution_not_fixed_threshold',
+	'bug_resolved_status_threshold',
+	'bug_revision_drop_threshold',
+	'bug_submit_status',
+	'bugnote_link_tag',
+	'bugnote_order',
+	'bugnote_user_change_view_state_threshold',
+	'bugnote_user_delete_threshold',
+	'bugnote_user_edit_threshold',
+	'calendar_date_format',
+	'calendar_js_date_format',
+	'cdn_enabled',
+	'change_view_status_threshold',
+	'check_mx_record',
+	'complete_date_format',
+	'compress_html',
+	'cookie_prefix',
+	'cookie_time_length',
+	'copyright_statement',
+	'create_permalink_threshold',
+	'create_project_threshold',
+	'create_short_url',
+	'css_include_file',
+	'css_rtl_include_file',
+	'csv_add_bom',
+	'csv_separator',
+	'custom_field_edit_after_create',
+	'custom_field_link_threshold',
+	'custom_field_type_enum_string',
+	'default_bug_additional_info',
+	'default_bug_eta',
+	'default_bug_priority',
+	'default_bug_projection',
+	'default_bug_relationship_clone',
+	'default_bug_relationship',
+	'default_bug_reproducibility',
+	'default_bug_resolution',
+	'default_bug_severity',
+	'default_bug_steps_to_reproduce',
+	'default_bug_view_status',
+	'default_bugnote_order',
+	'default_bugnote_view_status',
+	'default_category_for_moves',
+	'default_email_bugnote_limit',
+	'default_email_on_assigned_minimum_severity',
+	'default_email_on_assigned',
+	'default_email_on_bugnote_minimum_severity',
+	'default_email_on_bugnote',
+	'default_email_on_closed_minimum_severity',
+	'default_email_on_closed',
+	'default_email_on_feedback_minimum_severity',
+	'default_email_on_feedback',
+	'default_email_on_new_minimum_severity',
+	'default_email_on_new',
+	'default_email_on_priority_minimum_severity',
+	'default_email_on_priority',
+	'default_email_on_reopened_minimum_severity',
+	'default_email_on_reopened',
+	'default_email_on_resolved_minimum_severity',
+	'default_email_on_resolved',
+	'default_email_on_status_minimum_severity',
+	'default_email_on_status',
+	'default_home_page',
+	'default_language',
+	'default_limit_view',
+	'default_manage_tag_prefix',
+	'default_manage_user_prefix',
+	'default_new_account_access_level',
+	'default_project_view_status',
+	'default_redirect_delay',
+	'default_refresh_delay',
+	'default_reminder_view_status',
+	'default_show_changed',
+	'default_timezone',
+	'delete_bug_threshold',
+	'delete_bugnote_threshold',
+	'delete_project_threshold',
+	'development_team_threshold',
+	'differentiate_duplicates',
+	'disallowed_files',
+	'display_bug_padding',
+	'display_bugnote_padding',
+	'display_project_padding',
+	'download_attachments_threshold',
+	'due_date_update_threshold',
+	'due_date_view_threshold',
+	'email_padding_length',
+	'email_receive_own',
+	'email_separator1',
+	'email_separator2',
+	'enable_email_notification',
+	'enable_eta',
+	'enable_product_build',
+	'enable_profiles',
+	'enable_project_documentation',
+	'enable_projection',
+	'enable_sponsorship',
+	'eta_enum_string',
+	'fallback_language',
+	'favicon_image',
+	'file_upload_max_num',
+	'filter_by_custom_fields',
+	'filter_custom_fields_per_row',
+	'filter_position',
+	'forward_year_count',
+	'from_email', 'from_name',
+	'handle_bug_threshold',
+	'handle_sponsored_bugs_threshold',
+	'hide_status_default',
+	'history_default_visible',
+	'history_order',
+	'hr_size',
+	'hr_width',
+	'html_make_links',
+	'html_valid_tags_single_line',
+	'html_valid_tags',
+	'inline_file_exts',
+	'limit_reporters',
+	'logo_image',
+	'logo_url',
+	'logout_cookie',
+	'logout_redirect_page',
+	'long_process_timeout',
+	'lost_password_feature',
+	'mail_priority',
+	'manage_config_cookie',
+	'manage_configuration_threshold',
+	'manage_custom_fields_threshold',
+	'manage_global_profile_threshold',
+	'manage_news_threshold',
+	'manage_plugin_threshold',
+	'manage_project_threshold',
+	'manage_site_threshold',
+	'manage_user_threshold',
+	'manage_users_cookie',
+	'max_dropdown_length',
+	'max_failed_login_count',
+	'max_file_size',
+	'max_lost_password_in_progress_count',
+	'meta_include_file',
+	'min_refresh_delay',
+	'minimum_sponsorship_amount',
+	'monitor_add_others_bug_threshold',
+	'monitor_bug_threshold',
+	'monitor_delete_others_bug_threshold',
+	'move_bug_threshold',
+	'my_view_boxes_fixed_position',
+	'my_view_bug_count',
+	'news_enabled',
+	'news_limit_method',
+	'news_view_limit_days',
+	'news_view_limit',
+	'normal_date_format',
+	'notify_flags',
+	'notify_new_user_created_threshold_min',
+	'plugins_enabled',
+	'preview_attachments_inline_max_size',
+	'preview_max_height',
+	'preview_max_width',
+	'priority_enum_string',
+	'priority_significant_threshold',
+	'private_bug_threshold',
+	'private_bugnote_threshold',
+	'private_news_threshold',
+	'private_project_threshold',
+	'project_cookie',
+	'project_status_enum_string',
+	'project_user_threshold',
+	'project_view_state_enum_string',
+	'projection_enum_string',
+	'reassign_on_feedback',
+	'reauthentication_expiry',
+	'reauthentication',
+	'recently_visited_count',
+	'relationship_graph_enable',
+	'relationship_graph_fontname',
+	'relationship_graph_fontsize',
+	'relationship_graph_max_depth',
+	'relationship_graph_orientation',
+	'relationship_graph_view_on_click',
+	'reminder_receive_threshold',
+	'reminder_recipients_monitor_bug',
+	'reopen_bug_threshold',
+	'report_bug_threshold',
+	'report_issues_for_unreleased_versions_threshold',
+	'reporter_summary_limit',
+	'reproducibility_enum_string',
+	'resolution_enum_string',
+	'return_path_email',
+	'roadmap_update_threshold',
+	'roadmap_view_threshold',
+	'rss_enabled',
+	'set_bug_sticky_threshold',
+	'set_configuration_threshold',
+	'set_view_status_threshold',
+	'severity_enum_string',
+	'severity_significant_threshold',
+	'short_date_format',
+	'show_assigned_names',
+	'show_avatar_threshold',
+	'show_avatar',
+	'show_bug_project_links',
+	'show_changelog_dates',
+	'show_detailed_errors',
+	'show_footer_menu',
+	'show_log_threshold',
+	'show_memory_usage',
+	'show_monitor_list_threshold',
+	'show_priority_text',
+	'show_product_version',
+	'show_project_menu_bar',
+	'show_queries_count',
+	'show_realname',
+	'show_roadmap_dates',
+	'show_sticky_issues',
+	'show_timer',
+	'show_user_email_threshold',
+	'show_user_realname_threshold',
+	'show_version_dates_threshold',
+	'show_version',
+	'signup_use_captcha',
+	'sort_by_last_name',
+	'sponsor_threshold',
+	'sponsorship_currency',
+	'sponsorship_enum_string',
+	'status_enum_string',
+	'status_legend_position',
+	'status_percentage_legend',
+	'stop_on_errors',
+	'store_reminders',
+	'stored_query_create_shared_threshold',
+	'stored_query_create_threshold',
+	'stored_query_use_threshold',
+	'string_cookie',
+	'subprojects_enabled',
+	'subprojects_inherit_categories',
+	'subprojects_inherit_versions',
+	'summary_category_include_project',
+	'tag_attach_threshold',
+	'tag_create_threshold',
+	'tag_detach_own_threshold',
+	'tag_detach_threshold',
+	'tag_edit_own_threshold',
+	'tag_edit_threshold',
+	'tag_separator',
+	'tag_view_threshold',
+	'time_tracking_edit_threshold',
+	'time_tracking_enabled',
+	'time_tracking_reporting_threshold',
+	'time_tracking_stopwatch',
+	'time_tracking_view_threshold',
+	'time_tracking_with_billing',
+	'time_tracking_without_note',
+	'top_include_page',
+	'update_bug_assign_threshold',
+	'update_bug_status_threshold',
+	'update_bug_threshold',
+	'update_bugnote_threshold',
+	'update_readonly_bug_threshold',
+	'upload_bug_file_threshold',
+	'upload_project_file_threshold',
+	'use_dynamic_filters',
+	'user_login_valid_regex',
+	'validate_email',
+	'version_suffix',
+	'view_all_cookie',
+	'view_attachments_threshold',
+	'view_bug_threshold',
+	'view_changelog_threshold',
+	'view_configuration_threshold',
+	'view_filters',
+	'view_handler_threshold',
+	'view_history_threshold',
+	'view_proj_doc_threshold',
+	'view_sponsorship_details_threshold',
+	'view_sponsorship_total_threshold',
+	'view_state_enum_string',
+	'view_summary_threshold',
+	'webmaster_email',
+	'webmaster_email',
+	'webmaster_email',
+	'webmaster_email',
+	'webmaster_email',
+	'webservice_admin_access_level_threshold',
+	'webservice_error_when_version_not_found',
+	'webservice_eta_enum_default_when_not_found',
+	'webservice_priority_enum_default_when_not_found',
+	'webservice_projection_enum_default_when_not_found',
+	'webservice_readonly_access_level_threshold',
+	'webservice_readwrite_access_level_threshold',
+	'webservice_resolution_enum_default_when_not_found',
+	'webservice_severity_enum_default_when_not_found',
+	'webservice_specify_reporter_on_add_access_level_threshold',
+	'webservice_status_enum_default_when_not_found',
+	'webservice_version_when_not_found',
+	'wiki_enable',
+	'wiki_engine_url',
+	'wiki_engine',
+	'wiki_root_namespace',
+	'window_title',
+	'wrap_in_preformatted_text'
+);
+
 # Temporary variables should not remain defined in global scope
 unset( $t_protocol, $t_host, $t_hosts, $t_port, $t_self, $t_path );
 
diff --git a/core/config_api.php b/core/config_api.php
index 8cace8c..7b25293 100644
--- a/core/config_api.php
+++ b/core/config_api.php
@@ -677,71 +677,14 @@ function config_eval( $p_value, $p_global = false ) {
 }
 
 /**
- * list of configuration variable which may expose web server details and should not be exposed to users or web services
+ * Check if a configuration variable should not be exposed to users or web services
  *
  * @param string $p_config_var Configuration option.
  * @return boolean
  */
 function config_is_private( $p_config_var ) {
-	switch( $p_config_var ) {
-		case 'hostname':
-		case 'db_username':
-		case 'db_password':
-		case 'database_name':
-		case 'db_schema':
-		case 'db_type':
-		case 'master_crypto_salt':
-		case 'smtp_host':
-		case 'smtp_username':
-		case 'smtp_password':
-		case 'smtp_connection_mode':
-		case 'smtp_port':
-		case 'email_send_using_cronjob':
-		case 'absolute_path':
-		case 'core_path':
-		case 'class_path':
-		case 'library_path':
-		case 'language_path':
-		case 'session_save_path':
-		case 'session_handler':
-		case 'session_validation':
-		case 'global_settings':
-		case 'system_font_folder':
-		case 'phpMailer_method':
-		case 'attachments_file_permissions':
-		case 'file_upload_method':
-		case 'absolute_path_default_upload_folder':
-		case 'ldap_server':
-		case 'plugin_path':
-		case 'ldap_root_dn':
-		case 'ldap_organization':
-		case 'ldap_uid_field':
-		case 'ldap_bind_dn':
-		case 'ldap_bind_passwd':
-		case 'use_ldap_email':
-		case 'ldap_protocol_version':
-		case 'login_method':
-		case 'cookie_path':
-		case 'cookie_domain':
-		case 'bottom_include_page':
-		case 'top_include_page':
-		case 'css_include_file':
-		case 'css_rtl_include_file':
-		case 'meta_include_file':
-		case 'log_level':
-		case 'log_destination':
-		case 'dot_tool':
-		case 'neato_tool':
-			return true;
-
-		# Marked obsolete in 1.3.0dev - keep here to make sure they are not disclosed by soap api.
-		# These can be removed once complete removal from config and db is enforced by upgrade process.
-		case 'file_upload_ftp_server':
-		case 'file_upload_ftp_user':
-		case 'file_upload_ftp_pass':
-			return true;
-	}
+	global $g_public_config_names;
 
-	return false;
+	return !in_array( $p_config_var, $g_public_config_names, true );
 }
 
diff --git a/docbook/Admin_Guide/en-US/config/settings.xml b/docbook/Admin_Guide/en-US/config/settings.xml
index 066b0e3..548e8f8 100644
--- a/docbook/Admin_Guide/en-US/config/settings.xml
+++ b/docbook/Admin_Guide/en-US/config/settings.xml
@@ -12,5 +12,11 @@
 				<para>This option contains the list of configuration options that are used to determine if it is allowed for a specific configuration option to be saved to or loaded from the database.  Configuration options that are in the list are considered global only and hence are only configurable via the config_inc.php file and defaulted by config_defaults_inc.php file.</para>
 			</listitem>
 		</varlistentry>
+		<varlistentry>
+			<term>$g_public_config_names</term>
+			<listitem>
+				<para>This option contains a list of configuration options that can be queried via SOAP API.</para>
+			</listitem>
+		</varlistentry>
 	</variablelist>
 </section>
-- 
2.5.4 (Apple Git-61)
fix-20277-2.patch (14,130 bytes)   
fix-20277-3.patch (14,284 bytes)    
From 2962191af12908eefc5432b6362bdbc802951fdd Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Wed, 23 Dec 2015 20:32:10 +0100
Subject: [PATCH] Implement a white list of options that can be accessed via
 SOAP API

Fixes #20277
---
 config_defaults_inc.php                       | 346 +++++++++++++++++++++++++-
 core/config_api.php                           |  63 +----
 docbook/Admin_Guide/en-US/config/settings.xml |   6 +
 3 files changed, 354 insertions(+), 61 deletions(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 780fd1f..9be2cb6 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -4262,7 +4262,351 @@ $g_global_settings = array(
 	'class_path','library_path', 'language_path', 'absolute_path_default_upload_folder',
 	'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
 	'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
-	'cdn_enabled'
+	'cdn_enabled', 'public_config_names'
+);
+
+/**
+ * The following list of configuration options is used to check if it is
+ * allowed to query a specific configuration option via SOAP API.
+ * @global array $g_public_config_names
+ */
+$g_public_config_names = array(
+	'access_levels_enum_string',
+	'action_button_position',
+	'add_bugnote_threshold',
+	'add_profile_threshold',
+	'admin_site_threshold',
+	'allow_account_delete',
+	'allow_anonymous_login',
+	'allow_blank_email',
+	'allow_delete_own_attachments',
+	'allow_download_own_attachments',
+	'allow_file_upload',
+	'allow_freetext_in_profile_fields',
+	'allow_no_category',
+	'allow_permanent_cookie',
+	'allow_reporter_close',
+	'allow_reporter_reopen',
+	'allow_reporter_upload',
+	'allow_signup',
+	'allowed_files',
+	'anonymous_account',
+	'antispam_max_event_count',
+	'antispam_time_window_in_seconds',
+	'assign_sponsored_bugs_threshold',
+	'auto_set_status_to_assigned',
+	'backward_year_count',
+	'bottom_include_page',
+	'bug_assigned_status',
+	'bug_closed_status_threshold',
+	'bug_count_hyperlink_prefix',
+	'bug_duplicate_resolution',
+	'bug_feedback_status',
+	'bug_link_tag',
+	'bug_list_cookie',
+	'bug_readonly_status_threshold',
+	'bug_reminder_threshold',
+	'bug_reopen_resolution',
+	'bug_reopen_status',
+	'bug_resolution_fixed_threshold',
+	'bug_resolution_not_fixed_threshold',
+	'bug_resolved_status_threshold',
+	'bug_revision_drop_threshold',
+	'bug_submit_status',
+	'bugnote_link_tag',
+	'bugnote_order',
+	'bugnote_user_change_view_state_threshold',
+	'bugnote_user_delete_threshold',
+	'bugnote_user_edit_threshold',
+	'calendar_date_format',
+	'calendar_js_date_format',
+	'cdn_enabled',
+	'change_view_status_threshold',
+	'check_mx_record',
+	'complete_date_format',
+	'compress_html',
+	'cookie_prefix',
+	'cookie_time_length',
+	'copyright_statement',
+	'create_permalink_threshold',
+	'create_project_threshold',
+	'create_short_url',
+	'css_include_file',
+	'css_rtl_include_file',
+	'csv_add_bom',
+	'csv_separator',
+	'custom_field_edit_after_create',
+	'custom_field_link_threshold',
+	'custom_field_type_enum_string',
+	'default_bug_additional_info',
+	'default_bug_eta',
+	'default_bug_priority',
+	'default_bug_projection',
+	'default_bug_relationship_clone',
+	'default_bug_relationship',
+	'default_bug_reproducibility',
+	'default_bug_resolution',
+	'default_bug_severity',
+	'default_bug_steps_to_reproduce',
+	'default_bug_view_status',
+	'default_bugnote_order',
+	'default_bugnote_view_status',
+	'default_category_for_moves',
+	'default_email_bugnote_limit',
+	'default_email_on_assigned_minimum_severity',
+	'default_email_on_assigned',
+	'default_email_on_bugnote_minimum_severity',
+	'default_email_on_bugnote',
+	'default_email_on_closed_minimum_severity',
+	'default_email_on_closed',
+	'default_email_on_feedback_minimum_severity',
+	'default_email_on_feedback',
+	'default_email_on_new_minimum_severity',
+	'default_email_on_new',
+	'default_email_on_priority_minimum_severity',
+	'default_email_on_priority',
+	'default_email_on_reopened_minimum_severity',
+	'default_email_on_reopened',
+	'default_email_on_resolved_minimum_severity',
+	'default_email_on_resolved',
+	'default_email_on_status_minimum_severity',
+	'default_email_on_status',
+	'default_home_page',
+	'default_language',
+	'default_limit_view',
+	'default_manage_tag_prefix',
+	'default_manage_user_prefix',
+	'default_new_account_access_level',
+	'default_project_view_status',
+	'default_redirect_delay',
+	'default_refresh_delay',
+	'default_reminder_view_status',
+	'default_show_changed',
+	'default_timezone',
+	'delete_bug_threshold',
+	'delete_bugnote_threshold',
+	'delete_project_threshold',
+	'development_team_threshold',
+	'differentiate_duplicates',
+	'disallowed_files',
+	'display_bug_padding',
+	'display_bugnote_padding',
+	'display_project_padding',
+	'download_attachments_threshold',
+	'due_date_update_threshold',
+	'due_date_view_threshold',
+	'email_padding_length',
+	'email_receive_own',
+	'email_separator1',
+	'email_separator2',
+	'enable_email_notification',
+	'enable_eta',
+	'enable_product_build',
+	'enable_profiles',
+	'enable_project_documentation',
+	'enable_projection',
+	'enable_sponsorship',
+	'eta_enum_string',
+	'fallback_language',
+	'favicon_image',
+	'file_upload_max_num',
+	'filter_by_custom_fields',
+	'filter_custom_fields_per_row',
+	'filter_position',
+	'forward_year_count',
+	'from_email',
+	'from_name',
+	'handle_bug_threshold',
+	'handle_sponsored_bugs_threshold',
+	'hide_status_default',
+	'history_default_visible',
+	'history_order',
+	'hr_size',
+	'hr_width',
+	'html_make_links',
+	'html_valid_tags_single_line',
+	'html_valid_tags',
+	'inline_file_exts',
+	'limit_reporters',
+	'logo_image',
+	'logo_url',
+	'logout_cookie',
+	'logout_redirect_page',
+	'long_process_timeout',
+	'lost_password_feature',
+	'mail_priority',
+	'manage_config_cookie',
+	'manage_configuration_threshold',
+	'manage_custom_fields_threshold',
+	'manage_global_profile_threshold',
+	'manage_news_threshold',
+	'manage_plugin_threshold',
+	'manage_project_threshold',
+	'manage_site_threshold',
+	'manage_user_threshold',
+	'manage_users_cookie',
+	'max_dropdown_length',
+	'max_failed_login_count',
+	'max_file_size',
+	'max_lost_password_in_progress_count',
+	'meta_include_file',
+	'min_refresh_delay',
+	'minimum_sponsorship_amount',
+	'monitor_add_others_bug_threshold',
+	'monitor_bug_threshold',
+	'monitor_delete_others_bug_threshold',
+	'move_bug_threshold',
+	'my_view_boxes_fixed_position',
+	'my_view_bug_count',
+	'news_enabled',
+	'news_limit_method',
+	'news_view_limit_days',
+	'news_view_limit',
+	'normal_date_format',
+	'notify_flags',
+	'notify_new_user_created_threshold_min',
+	'plugins_enabled',
+	'preview_attachments_inline_max_size',
+	'preview_max_height',
+	'preview_max_width',
+	'priority_enum_string',
+	'priority_significant_threshold',
+	'private_bug_threshold',
+	'private_bugnote_threshold',
+	'private_news_threshold',
+	'private_project_threshold',
+	'project_cookie',
+	'project_status_enum_string',
+	'project_user_threshold',
+	'project_view_state_enum_string',
+	'projection_enum_string',
+	'reassign_on_feedback',
+	'reauthentication_expiry',
+	'reauthentication',
+	'recently_visited_count',
+	'relationship_graph_enable',
+	'relationship_graph_fontname',
+	'relationship_graph_fontsize',
+	'relationship_graph_max_depth',
+	'relationship_graph_orientation',
+	'relationship_graph_view_on_click',
+	'reminder_receive_threshold',
+	'reminder_recipients_monitor_bug',
+	'reopen_bug_threshold',
+	'report_bug_threshold',
+	'report_issues_for_unreleased_versions_threshold',
+	'reporter_summary_limit',
+	'reproducibility_enum_string',
+	'resolution_enum_string',
+	'return_path_email',
+	'roadmap_update_threshold',
+	'roadmap_view_threshold',
+	'rss_enabled',
+	'set_bug_sticky_threshold',
+	'set_configuration_threshold',
+	'set_view_status_threshold',
+	'severity_enum_string',
+	'severity_significant_threshold',
+	'short_date_format',
+	'show_assigned_names',
+	'show_avatar_threshold',
+	'show_avatar',
+	'show_bug_project_links',
+	'show_changelog_dates',
+	'show_detailed_errors',
+	'show_footer_menu',
+	'show_log_threshold',
+	'show_memory_usage',
+	'show_monitor_list_threshold',
+	'show_priority_text',
+	'show_product_version',
+	'show_project_menu_bar',
+	'show_queries_count',
+	'show_realname',
+	'show_roadmap_dates',
+	'show_sticky_issues',
+	'show_timer',
+	'show_user_email_threshold',
+	'show_user_realname_threshold',
+	'show_version_dates_threshold',
+	'show_version',
+	'signup_use_captcha',
+	'sort_by_last_name',
+	'sponsor_threshold',
+	'sponsorship_currency',
+	'sponsorship_enum_string',
+	'status_enum_string',
+	'status_legend_position',
+	'status_percentage_legend',
+	'stop_on_errors',
+	'store_reminders',
+	'stored_query_create_shared_threshold',
+	'stored_query_create_threshold',
+	'stored_query_use_threshold',
+	'string_cookie',
+	'subprojects_enabled',
+	'subprojects_inherit_categories',
+	'subprojects_inherit_versions',
+	'summary_category_include_project',
+	'tag_attach_threshold',
+	'tag_create_threshold',
+	'tag_detach_own_threshold',
+	'tag_detach_threshold',
+	'tag_edit_own_threshold',
+	'tag_edit_threshold',
+	'tag_separator',
+	'tag_view_threshold',
+	'time_tracking_edit_threshold',
+	'time_tracking_enabled',
+	'time_tracking_reporting_threshold',
+	'time_tracking_stopwatch',
+	'time_tracking_view_threshold',
+	'time_tracking_with_billing',
+	'time_tracking_without_note',
+	'top_include_page',
+	'update_bug_assign_threshold',
+	'update_bug_status_threshold',
+	'update_bug_threshold',
+	'update_bugnote_threshold',
+	'update_readonly_bug_threshold',
+	'upload_bug_file_threshold',
+	'upload_project_file_threshold',
+	'use_dynamic_filters',
+	'user_login_valid_regex',
+	'validate_email',
+	'version_suffix',
+	'view_all_cookie',
+	'view_attachments_threshold',
+	'view_bug_threshold',
+	'view_changelog_threshold',
+	'view_configuration_threshold',
+	'view_filters',
+	'view_handler_threshold',
+	'view_history_threshold',
+	'view_proj_doc_threshold',
+	'view_sponsorship_details_threshold',
+	'view_sponsorship_total_threshold',
+	'view_state_enum_string',
+	'view_summary_threshold',
+	'webmaster_email',
+	'webservice_admin_access_level_threshold',
+	'webservice_error_when_version_not_found',
+	'webservice_eta_enum_default_when_not_found',
+	'webservice_priority_enum_default_when_not_found',
+	'webservice_projection_enum_default_when_not_found',
+	'webservice_readonly_access_level_threshold',
+	'webservice_readwrite_access_level_threshold',
+	'webservice_resolution_enum_default_when_not_found',
+	'webservice_severity_enum_default_when_not_found',
+	'webservice_specify_reporter_on_add_access_level_threshold',
+	'webservice_status_enum_default_when_not_found',
+	'webservice_version_when_not_found',
+	'wiki_enable',
+	'wiki_engine_url',
+	'wiki_engine',
+	'wiki_root_namespace',
+	'window_title',
+	'wrap_in_preformatted_text'
 );
 
 # Temporary variables should not remain defined in global scope
diff --git a/core/config_api.php b/core/config_api.php
index 8cace8c..7b25293 100644
--- a/core/config_api.php
+++ b/core/config_api.php
@@ -677,71 +677,14 @@ function config_eval( $p_value, $p_global = false ) {
 }
 
 /**
- * list of configuration variable which may expose web server details and should not be exposed to users or web services
+ * Check if a configuration variable should not be exposed to users or web services
  *
  * @param string $p_config_var Configuration option.
  * @return boolean
  */
 function config_is_private( $p_config_var ) {
-	switch( $p_config_var ) {
-		case 'hostname':
-		case 'db_username':
-		case 'db_password':
-		case 'database_name':
-		case 'db_schema':
-		case 'db_type':
-		case 'master_crypto_salt':
-		case 'smtp_host':
-		case 'smtp_username':
-		case 'smtp_password':
-		case 'smtp_connection_mode':
-		case 'smtp_port':
-		case 'email_send_using_cronjob':
-		case 'absolute_path':
-		case 'core_path':
-		case 'class_path':
-		case 'library_path':
-		case 'language_path':
-		case 'session_save_path':
-		case 'session_handler':
-		case 'session_validation':
-		case 'global_settings':
-		case 'system_font_folder':
-		case 'phpMailer_method':
-		case 'attachments_file_permissions':
-		case 'file_upload_method':
-		case 'absolute_path_default_upload_folder':
-		case 'ldap_server':
-		case 'plugin_path':
-		case 'ldap_root_dn':
-		case 'ldap_organization':
-		case 'ldap_uid_field':
-		case 'ldap_bind_dn':
-		case 'ldap_bind_passwd':
-		case 'use_ldap_email':
-		case 'ldap_protocol_version':
-		case 'login_method':
-		case 'cookie_path':
-		case 'cookie_domain':
-		case 'bottom_include_page':
-		case 'top_include_page':
-		case 'css_include_file':
-		case 'css_rtl_include_file':
-		case 'meta_include_file':
-		case 'log_level':
-		case 'log_destination':
-		case 'dot_tool':
-		case 'neato_tool':
-			return true;
-
-		# Marked obsolete in 1.3.0dev - keep here to make sure they are not disclosed by soap api.
-		# These can be removed once complete removal from config and db is enforced by upgrade process.
-		case 'file_upload_ftp_server':
-		case 'file_upload_ftp_user':
-		case 'file_upload_ftp_pass':
-			return true;
-	}
+	global $g_public_config_names;
 
-	return false;
+	return !in_array( $p_config_var, $g_public_config_names, true );
 }
 
diff --git a/docbook/Admin_Guide/en-US/config/settings.xml b/docbook/Admin_Guide/en-US/config/settings.xml
index 066b0e3..548e8f8 100644
--- a/docbook/Admin_Guide/en-US/config/settings.xml
+++ b/docbook/Admin_Guide/en-US/config/settings.xml
@@ -12,5 +12,11 @@
 				<para>This option contains the list of configuration options that are used to determine if it is allowed for a specific configuration option to be saved to or loaded from the database.  Configuration options that are in the list are considered global only and hence are only configurable via the config_inc.php file and defaulted by config_defaults_inc.php file.</para>
 			</listitem>
 		</varlistentry>
+		<varlistentry>
+			<term>$g_public_config_names</term>
+			<listitem>
+				<para>This option contains a list of configuration options that can be queried via SOAP API.</para>
+			</listitem>
+		</varlistentry>
 	</variablelist>
 </section>
-- 
2.5.4 (Apple Git-61)
fix-20277-3.patch (14,284 bytes)   

Relationships

related to 0020468 new Create API to let plugins add configs to public_config_names 

Activities

atrol

atrol

2015-11-16 17:29

developer   ~0051847

Reminder sent to: dregad, rombert, vboctor

Please have a look at the attached patch.
Especially the missing crypto_master_salt is a major issues IMO.
All instances that are running the current version in a production environment should change crypto_master_salt in config_inc.php.
dregad

dregad

2015-11-17 05:34

developer   ~0051852

Thanks atrol. I agree this is a major issue.

I will request a CVE for this; do you have more information about grangeway's involvement ? This is to ensure proper credit is given for the finding.
rombert

rombert

2015-11-17 05:37

reporter   ~0051853

Patch looks good to me, thanks for preparing it.
atrol

atrol

2015-11-17 05:59

developer   ~0051854

Last edited: 2015-11-17 08:15

do you have more information about grangeway's involvement ?
Will search later today if I stored the email he sent to us a while ago where he mentioned the issue.
I put it on my Mantis todo list when receiving it, maybe I deleted the email after that. IIRC he had some of the changes also in one of the PR's that he closed.

[Edit]
Found it: http://sourceforge.net/p/mantisbt/mailman/message/32948048/
atrol

atrol

2015-11-17 06:04

developer   ~0051855

I will request a CVE for this
Do we need this for beta versions?
My main driver to enter and fix this issue was, that we might see a RC quite soon.
dregad

dregad

2015-11-17 09:21

developer   ~0051856

I will request a CVE for this
Do we need this for beta versions?

It's not a question of the type of version (alpha/beta/rc), the CVE is needed beause the version has been published.

Thanks for the link. I also found it by going through Paul's PRs on Github, he was not fixing as many issues as you did in the attached patch.
vboctor

vboctor

2015-11-18 04:07

manager   ~0051868

The patch looks good. Looks like you have reviewed the full list of config options and added the ones that don't make sense.

Do we need a simpler patch to associate with the security advisory? One that hides the ones that are security risks? For example 'use_ldap_realname' is not a security risk. Not a big deal, but we don't want to scope to be bigger than the minimum change.

I wonder if we should make a change that makes it less likely to have such issues in the future. For example:

  • Have config_is_public() that elects the configs that should be visible via soap API, rather than the other way around.

  • Have a show_config_via_api('xyz) that is called in config_defaults_inc.php after defining config options to act as a reminder.

Not necessarily great options, but I wondering if there is a good decoration / annotation that we can use in context to make such slips less likely to happen in the future.
atrol

atrol

2015-11-18 04:43

developer   ~0051870

For example 'use_ldap_realname' is not a security risk.

I think it is.
It's a common practice to harden systems in a way that you don't unfold information which is not needed for users, but can help attackers to find a weakness.
e.g. don't provide an easy way to search the web for Mantis instances that are using LDAP by using the SOAP API and checking for use_ldap_realname
I would primary try to attack such installations as there is 0012957
vboctor

vboctor

2015-11-18 12:19

manager   ~0051875

Last edited: 2015-11-18 12:19

Makes sense. However, we should note in the advisory that accessing this method required a registered user with access webservice_readonly_access_level_threshold (VIEWER by default). Or anonymous access being enabled which provides the same.

I wonder if the same API can be used to pull any global variable with $g_ prefix. For example, the global variables in the core APIs.

I was thinking that it would be nice to consider moving our configs to json in the future. With that, I wonder if we can have a config definition that has all the meta-data about a config option, e.g. name, type, visibility, regexp/options (for config UI - though ideally we have native UI for our configs).
atrol

atrol

2015-12-02 16:23

developer   ~0052000

I wonder if the same API can be used to pull any global variable with $g_ prefix.
It can be used for that.

E.g. you can try to get contents of $g_cache_config
The good thing is, that you will get a SOAP fault for most of the affected variables: Error Type: SYSTEM NOTICE, Error Description: Array to string conversion

The bad thing is, that someone might implement the array to string conversion for useful functionality without being aware that he will introduce a security issue.
vboctoradmin

vboctoradmin

2015-12-02 21:45

administrator   ~0052002

That is why 0020277:0051868 may be a good option where we have to explicitly make config options public rather than the other way around.
vboctor

vboctor

2015-12-22 03:29

manager   ~0052162

What's the plan with this? Are we going to go with the white listing approach by defining config_is_public() ? @atrol what's your plan for this?
atrol

atrol

2015-12-22 18:39

developer   ~0052167

Last edited: 2015-12-22 18:41

I will provide another patch based on a white list approach.
Seems it will be a quite large list.
atrol

atrol

2015-12-23 04:12

developer   ~0052170

Reminder sent to: dregad, rombert, vboctor

I would like to be sure that I am on the right track.
I attached config_names.txt which contains about the half of the options for the white list.
Is this what we want?
vboctor

vboctor

2015-12-23 04:36

manager   ~0052171

@atrol that is what I had in mind. I wonder if it would be better to sort the config options alphabetically, one per line.
dregad

dregad

2015-12-23 05:59

developer   ~0052172

Seems it will be a quite large list.

That's the price to pay for having so many different configs...

better to sort the config options alphabetically, one per line

+1, would make maintenance easier

For PHPDoc block, add a short description on first line ending with a '.', e.g.
'List of config options available via Webservice.'
atrol

atrol

2015-12-23 14:41

developer   ~0052175

Attached a new patch.
vboctor

vboctor

2015-12-23 15:01

manager   ~0052177

Looks good. Few comments:

  • 'webmaster_email' is repeated multiple times.
  • 'from_email' and 'from_name' on the same line.
  • Was is possible before to retrieve plugin configs?
  • Why do we treat configs like $g_public_config_names and $g_global_settings as config options? They are really part of the code and not configs. Hence, we shouldn't include them in docbook for settings and not in config_defaults_inc.php. We don't have to fix global settings as part of this, but I wouldn't add public config names as a config setting.
atrol

atrol

2015-12-23 15:58

developer   ~0052178

Last edited: 2015-12-23 16:04

  • Was is possible before to retrieve plugin configs?
    It was possible.
    Do we need an API for plugins to extend the white list?

  • Why do we treat configs like $g_public_config_names and $g_global_settings as config options?
    Why not? It allows administrators to add/remove options

BTW, I forgot to add $g_public_config_names to $g_global_settings

Attached new patch.
rombert

rombert

2015-12-26 16:53

reporter   ~0052180

Overall I think this looks good. At some point I worried that it will be easy to overlook adding new 'public' configuration options to the whitelist as we create them, but I don't think doing something more elaborate is worth it.
vboctor

vboctor

2015-12-26 20:08

manager   ~0052183

Looks good. I wonder if we should call the config option 'config_names_public' or 'config_public', so that if we add others in the future, they will be grouped together. e.g. config_names_sensitive or config_names_private or whatever. Don't have a scenario right now, but I have started using this convention sometime ago.

Let's go ahead with the next steps on this.
atrol

atrol

2015-12-27 06:55

developer   ~0052190

0020277:0051852
@dregad, did you request a CVE?
dregad

dregad

2015-12-28 04:30

developer   ~0052192

Not yet, I usually don't until a patch is available, since announcing it on the ML is effectively making the vulnerability public.

If you think 'fix-20277-3.patch' is the final one, I'll go ahead and get the CVE. Let me know.
atrol

atrol

2015-12-28 08:43

developer   ~0052195

Last edited: 2015-12-28 08:44

e.g. config_names_sensitive or config_names_private or whatever
I would prefer to have some properties for each of our config options instead of such kind of lists.

So I think 'fix-20277-3.patch' is the final one from my side.

Not sure if this is worth delaying the fix
0020277:0052178

  • Was is possible before to retrieve plugin configs?
    It was possible.
    Do we need an API for plugins to extend the white list?

Keep in mind that I will have limited internet access until next Monday.
It would be fine if you could enhance the commit message and push to master.
dregad

dregad

2016-01-02 09:38

developer   ~0052232

Last edited: 2016-01-02 09:40

For the CVE: does the issue only affect 1.3.x ? I mean, crypto_master_salt obviously does not exist in 1.2, but the switch from blacklist to whitelist potentially changes the available configs.

Should this be backported ?

Do we need an API for plugins to extend the white list?

I think we do, but that can be treated as a separate issue (see 0020468)
atrol

atrol

2016-01-02 13:21

developer   ~0052234

Should this be backported ?

I am not aware that there is any option in 1.2 accessible via SOAP that decreases security the same degree like crypto_master_salt did in 1.3.

crypto_master_salt has been introduced to improve security by design, but was complete useless before the patch.
Hiding the other options (see my very first patch for the list) is rather something like security by obscurity.

So I think that a backport to 1.2 is not bad but is not needed.
dregad

dregad

2016-01-02 14:33

developer   ~0052235

Reopened to track the CVE request process; will reassign to you once it's done
dregad

dregad

2016-01-02 17:05

developer   ~0052237

CVE request http://permalink.gmane.org/gmane.comp.security.oss.general/18479
dregad

dregad

2016-01-04 11:07

developer   ~0052241

CVE assignment http://thread.gmane.org/gmane.comp.security.oss.general/18479/focus=18483

Related Changesets

MantisBT: master 7927c275

2015-12-23 09:32

atrol

Committer: dregad


Details Diff		 Implement a white list of options accessible via SOAP API

This is a safer approach than the previous blacklist method, which
could potentially allow confidential information disclosure if a config
were added or renamed without a matching change in config_is_private()
function.

Fixes 0020277

Original commit modified: comments and commit message wording.

Signed-off-by: Damien Regad <dregad@mantisbt.org>		 Affected Issues
0020277
mod - config_defaults_inc.php Diff File
mod - core/config_api.php Diff File
mod - docbook/Admin_Guide/en-US/config/settings.xml Diff File