73839 2002-08-24 00:28 /90 rader/ Jeroen Latour <jlatour@calaquendi.net> Importerad: 2002-08-24 00:28 av Brevbäraren Extern mottagare: team@security.debian.org Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <1243> Ärende: [Mantis Advisory/2002-07] Bugs in private projects listed on 'View Bugs' ------------------------------------------------------------ [Mantis Advisory/2002-07] Bugs in private projects listed on 'View Bugs' 0. Table of Contents 1. Introduction 2. Summary / Impact analysis 3. Affected versions 4. Workaround / Solution 5. Proof of Vulnerability 6. Credit 7. Contact details 1. Introduction Mantis is an Open Source web-based bugtracking system, written in PHP, which uses the MySQL database server. It is being actively developed by a small group of developers, and is considered to be in the beta stage. 2. Summary / Impact analysis Mantis allows administrators to set certain projects private. This restricts its access to users who have been explicitly added to that project. There was a bug in Mantis which caused the 'View Bugs' page to list bugs from both public and private projects when no projects were accessible to the user. This has been patched in Mantis 0.17.5. 'View Bugs' lists only a summary of the bugs. This does not include additional information such as the steps to reproduce the bug and any bugnotes that may have been added. 3. Affected versions The following versions are affected: Mantis 0.17.4a Mantis 0.17.4 Mantis 0.17.3 Mantis 0.17.2 Mantis 0.17.1 Mantis 0.17.0 4. Workaround / Solution Mantis 0.17.5 patches this problem. Users are suggested to upgrade to this version when possible. If an upgrade is not possible, the following patch (against Mantis 0.17.4a) will close the vulnerability (although uncleanly): --- mantis-0.17.4a/view_all_bug_page.php Mon Aug 19 07:18:54 2002 +++ mantis-0.17.5/view_all_bug_page.php Fri Aug 23 11:57:50 2002 @@ -90,7 +90,7 @@ $result2 = db_query( $query2 ); $project_count = db_num_rows( $result2 ); if ( 0 == $project_count ) { - $t_where_clause = " WHERE 1=1"; + $t_where_clause = " WHERE 0=1"; } else { $t_where_clause = " WHERE ("; for ($i=0;$i<$project_count;$i++) { 5. Proof of Vulnerability Make all projects private, create a user who does not have access to any of these projects and open the 'View Bugs' page. 6. Credit This vulnerability was reported by Diehl Software through our Bug Tracking System. 7. Contact details The latest version of Mantis is always available from: http://mantisbt.sourceforge.net/ The current version is 0.17.5, which can be downloaded from http://mantisbt.sourceforge.net/download.php3 If you have any questions about this vulnerability, or wish to report another, you can contact the developers at: mantisbt-security@lists.sourceforge.net This is a private mailinglist, readable only by a few developers. The latest version of this and other advisories can be found at: http://mantisbt.sourceforge.net/security.php3 (73839) /Jeroen Latour <jlatour@calaquendi.net>/(Ombruten)