Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Jun 2015 22:45:18 -0400 (EDT)
From: cve-assign@...re.org
To: dregad@...tisbt.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Information disclosure in MantisBT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> When this feature is enabled ($g_enable_project_documentation = ON) and
> the threshold to view these files is left to its default value
> ($g_view_proj_doc_threshold = ANYBODY), any registered user in the
> system can download every such attachment, including those which are
> linked to private projects to which the user does not have access.
> 
> This can be achieved by calling the download script directly, and
> specifying the ID of the file to download, e.g.
> 
> http://example.com/mantis/file_download.php?file_id=123&type=doc
> 
> https://mantisbt.org/bugs/view.php?id=19873
> 
> http://github.com/mantisbt/mantisbt/commit/f39cf5251953b468e9d921e1cf2aca3abdb00772
> http://github.com/mantisbt/mantisbt/commit/a4be76d6e5c4939545d84712c79d3f8f4a108c4f

Use CVE-2015-5059 for the issue in which $g_view_proj_doc_threshold
had been ANYBODY but is supposed to be VIEWER.

Is there any related security problem caused by this possible
inconsistency in the code:

  define( 'ANYBODY', 0 );

  function access_get_global_level

          if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
                  return false;


  function access_get_project_level

          if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
                  return ANYBODY;

? In other words, is an unauthenticated client sometimes, but not always,
considered to have the ANYBODY access level?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVi2qwAAoJEKllVAevmvmsW7QH/1SeDa13+jKIqpyOpac5eBgc
Hnq2byG7ZzJ3vKmEkgRUbfCsvcU27f2f+6XrbnCFliulxe8X1kr3bem45rionhvt
L+2AhEUkH9a0t8kHvbske+rASAXmuaYH39FLeipF8WHt0C9QBbLbm7m5WaRSz4G6
1SaLgTI634qPviFc9ClI7/EgDfAj/Dzm+W9e5T+A+QcOyWcyZRXc1+4wqfkwq4R3
JpcC67tNIdQaMt5dBJ8UenfMbcVfmt7M7509dK+kKV4qLNhSCwrM9c06n7D0JFmt
c9R5dWILE28lE9A6JUeNolNfas6OhKN7TFJLgdchcMoSXIv1CpU+PIBgm7qJ/Bc=
=gKYK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ