[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 25 Jun 2015 07:09:35 +0000 (UTC)
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Information disclosure in MantisBT
<cve-assign@...> writes:
> Use CVE-2015-5059 for the issue in which $g_view_proj_doc_threshold
> had been ANYBODY but is supposed to be VIEWER.
Thanks for the CVE.
> Is there any related security problem caused by this possible
> inconsistency in the code:
>
> define( 'ANYBODY', 0 );
>
> function access_get_global_level
>
> if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
> return false;
>
> function access_get_project_level
>
> if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
> return ANYBODY;
>
> ? In other words, is an unauthenticated client sometimes, but not always,
> considered to have the ANYBODY access level?
Thanks for bringing this to my attention. At first glance it certainly looks
like an inconsistency; I will review the code in detail to determine whether
this is intentional or not, and will let you know.
Cheers
Damien
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
