73839 2002-08-24  00:28  /90 rader/ Jeroen Latour <jlatour@calaquendi.net>
Importerad: 2002-08-24  00:28  av Brevbäraren
Extern mottagare: team@security.debian.org
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1243>
Ärende: [Mantis Advisory/2002-07] Bugs in private projects listed on 'View Bugs'
------------------------------------------------------------
[Mantis Advisory/2002-07] Bugs in private projects listed on 'View
Bugs'

   0. Table of Contents

     1. Introduction
     2. Summary / Impact analysis
     3. Affected versions
     4. Workaround / Solution
     5. Proof of Vulnerability
     6. Credit
     7. Contact details

   1. Introduction

Mantis is an Open Source web-based bugtracking system, written in
PHP, which uses the MySQL database server. It is being actively
developed by a small group of developers, and is considered to be in
the beta stage.

   2. Summary / Impact analysis

Mantis allows administrators to set certain projects private. This
restricts its access to users who have been explicitly added to that
project.

There was a bug in Mantis which caused the 'View Bugs' page to list
bugs from both public and private projects when no projects were
accessible to the user.  This has been patched in Mantis 0.17.5.

'View Bugs' lists only a summary of the bugs. This does not include
additional information such as the steps to reproduce the bug and any
bugnotes that may have been added.

   3. Affected versions

The following versions are affected:
   Mantis 0.17.4a
   Mantis 0.17.4
   Mantis 0.17.3
   Mantis 0.17.2
   Mantis 0.17.1
   Mantis 0.17.0

   4. Workaround / Solution

Mantis 0.17.5 patches this problem. Users are suggested to upgrade to
this  version when possible.

If an upgrade is not possible, the following patch (against Mantis
0.17.4a) will close the vulnerability (although uncleanly):

--- mantis-0.17.4a/view_all_bug_page.php        Mon Aug 19 07:18:54 2002
+++ mantis-0.17.5/view_all_bug_page.php Fri Aug 23 11:57:50 2002
@@ -90,7 +90,7 @@
                 $result2 = db_query( $query2 );
                 $project_count = db_num_rows( $result2 );
                 if ( 0 == $project_count ) {
-                       $t_where_clause = " WHERE 1=1";
+                       $t_where_clause = " WHERE 0=1";
                 } else {
                         $t_where_clause = " WHERE (";
                         for ($i=0;$i<$project_count;$i++) {


   5. Proof of Vulnerability

Make all projects private, create a user who does not have access to
any of these projects and open the 'View Bugs' page.

   6. Credit

This vulnerability was reported by Diehl Software through our Bug
Tracking System.

   7. Contact details

The latest version of Mantis is always available from:
     http://mantisbt.sourceforge.net/
The current version is 0.17.5, which can be downloaded from
     http://mantisbt.sourceforge.net/download.php3

If you have any questions about this vulnerability, or wish to report
another, you can contact the developers at:
     mantisbt-security@lists.sourceforge.net
This is a private mailinglist, readable only by a few developers.

The latest version of this and other advisories can be found at:
     http://mantisbt.sourceforge.net/security.php3
(73839) /Jeroen Latour <jlatour@calaquendi.net>/(Ombruten)