[Mantis Advisory/2002-02] Limiting output to reporters can be bypassed

[Jeroen Latour <jlatour () calaquendi net>]

[Mantis Advisory/2002-02] Limiting output to reporters can be bypassed

  0. Table of Contents

    1. Introduction
    2. Summary / Impact analysis
    3. Affected versions
    4. Workaround / Solution
    5. Detailed explanation
    6. Contact details

  1. Introduction

Mantis is an Open Source web-based bugtracking system, written in PHP, 
which uses the MySQL database server. It is being actively developed by a 
small group of developers, and is considered to be in the beta stage.

  2. Summary / Impact analysis

It is possible to instruct Mantis to show reporters only the bugs that they 
reported, by setting the limit_reporters option to ON. This will 
automatically set the 'reporter' filter on the 'View Bugs' page.

The information on the 'View Bugs' page was also available in a form 
suitable for printing, by clicking on the 'Print Reports' link on the 'View 
Bugs' page. However this script, print_all_bug_page.php, did not check the 
limit_reporters option and thus allowed reporters to see the summaries of 
bugs they did not report.

This has been fixed in Mantis 0.17.4.

  3. Affected versions

The following versions are known to be affected:
  Mantis 0.17.3
  Mantis 0.17.2
  Mantis 0.17.1
  Mantis 0.17.0
  Mantis 0.16.1
  Mantis 0.16.0

The following versions are known to be unaffected:
  Mantis 0.17.4a
  Mantis 0.17.4
  Any version below Mantis 0.16.0 (*)

* = The 'Print reports' feature did not exist in those versions.

  4. Workaround / Solution

Mantis 0.17.4 adds the appropriate permission checks to the 'Print Reports' 
page.
All users are recommended to upgrade to this version as soon as possible.

If upgrade is not an option, print_all_bug_page.php can be patched to close 
this vulnerability.
The following instructions apply to Mantis 0.17.3, and could apply to 
earlier versions:

  In print_all_bug_page.php, after the block of assignments from 
$t_setting_arr, insert the following lines:
    # Limit reporters to only see their reported bugs
    if (( ON == $g_limit_reporters ) &&
      ( !access_level_check_greater_or_equal( UPDATER  ) )) {
      $f_user_id = get_current_user_field( "id" );
    }

  5. Detailed explanation

No trickery is required to allow a reporter to see the summaries of bugs 
that (s)he did not report. The reporter just has to go to 'View Bugs', 
click on 'Print Reports' and make sure the 'reporter' filter is set to 
anything but his/her own name.

  6. Contact details

The latest version of Mantis is always available from:
    http://mantisbt.sourceforge.net/
The current version is 0.17.4a, which can be downloaded from
    http://mantisbt.sourceforge.net/download.php3

If you have any questions about this vulnerability, or wish to report 
another, you can contact the developers at:
    mailto:mantisbt-security () lists sourceforge net
This is a private mailinglist, readable only by a few developers.

The latest version of this and other advisories can be found at:
    http://mantisbt.sourceforge.net/security.php3