Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 25 Jun 2015 07:09:35 +0000 (UTC)
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Information disclosure in MantisBT

 <cve-assign@...> writes:

> Use CVE-2015-5059 for the issue in which $g_view_proj_doc_threshold
> had been ANYBODY but is supposed to be VIEWER.

Thanks for the CVE. 

> Is there any related security problem caused by this possible
> inconsistency in the code:
> 
>   define( 'ANYBODY', 0 );
> 
>   function access_get_global_level
> 
>           if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
>                   return false;
> 
>   function access_get_project_level
> 
>           if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
>                   return ANYBODY;
> 
> ? In other words, is an unauthenticated client sometimes, but not always,
> considered to have the ANYBODY access level?

Thanks for bringing this to my attention. At first glance it certainly looks
like an inconsistency; I will review the code in detail to determine whether
this is intentional or not, and will let you know.

Cheers
Damien


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ