[Mantis Advisory/2002-07] Bugs in private projects listed on 'View Bugs'

[Jeroen Latour <jlatour () calaquendi net>]

[Mantis Advisory/2002-07] Bugs in private projects listed on 'View Bugs'

  0. Table of Contents

    1. Introduction
    2. Summary / Impact analysis
    3. Affected versions
    4. Workaround / Solution
    5. Proof of Vulnerability
    6. Credit
    7. Contact details

  1. Introduction

Mantis is an Open Source web-based bugtracking system, written in PHP, which
uses the MySQL database server. It is being actively developed by a small
group of developers, and is considered to be in the beta stage.

  2. Summary / Impact analysis

Mantis allows administrators to set certain projects private. This restricts
its access to users who have been explicitly added to that project.

There was a bug in Mantis which caused the 'View Bugs' page to list bugs from
both public and private projects when no projects were accessible to the user.
This has been patched in Mantis 0.17.5.

'View Bugs' lists only a summary of the bugs. This does not include
additional information such as the steps to reproduce the bug and any
bugnotes that may have been added.

  3. Affected versions

The following versions are affected:
  Mantis 0.17.4a
  Mantis 0.17.4
  Mantis 0.17.3
  Mantis 0.17.2
  Mantis 0.17.1
  Mantis 0.17.0

  4. Workaround / Solution

Mantis 0.17.5 patches this problem. Users are suggested to upgrade to this 
version
when possible.

If an upgrade is not possible, the following patch (against Mantis 0.17.4a)
will close the vulnerability (although uncleanly):

--- mantis-0.17.4a/view_all_bug_page.php        Mon Aug 19 07:18:54 2002
+++ mantis-0.17.5/view_all_bug_page.php Fri Aug 23 11:57:50 2002
@@ -90,7 +90,7 @@
                $result2 = db_query( $query2 );
                $project_count = db_num_rows( $result2 );
                if ( 0 == $project_count ) {
-                       $t_where_clause = " WHERE 1=1";
+                       $t_where_clause = " WHERE 0=1";
                } else {
                        $t_where_clause = " WHERE (";
                        for ($i=0;$i<$project_count;$i++) {


  5. Proof of Vulnerability

Make all projects private, create a user who does not have access to any of
these projects and open the 'View Bugs' page.

  6. Credit

This vulnerability was reported by Diehl Software through our Bug Tracking
System.

  7. Contact details

The latest version of Mantis is always available from:
    http://mantisbt.sourceforge.net/
The current version is 0.17.5, which can be downloaded from
    http://mantisbt.sourceforge.net/download.php3

If you have any questions about this vulnerability, or wish to report
another, you can contact the developers at:
    mantisbt-security () lists sourceforge net
This is a private mailinglist, readable only by a few developers.

The latest version of this and other advisories can be found at:
    http://mantisbt.sourceforge.net/security.php3