View Issue Details

IDProjectCategoryView StatusLast Update
0027262mantisbtsecuritypublic2020-12-30 08:33
Reporterd3vpoo1 Assigned Todregad  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionduplicate 
PlatformWindowsOSWindowsOS VersionWindows 10
Product Version2.24.2 
Summary0027262: Private files can be downloaded by attacker
Description

Though this issue seems to be a functionality, the attacker can abuse this and view/download the private files due to guessable id (increment_id)

Steps To Reproduce
  1. Create an admin account

  2. Go to notes and upload an image with it (make sure the image/file is private)

  3. As attacker(reporter account) go to http://localhost/mantisbt2/file_download.php?file_id=<FUZZ_ID>&type=bug where the FUZZ_ID is the id of the private file

  4. The attacker successfully download other files + the private files

Additional Information

I test this issue with viewer permission and it seems that it validates the endpoint..

TagsNo tags attached.
Attached Files
admin_private_file.png (7,020 bytes)   
admin_private_file.png (7,020 bytes)   
reporter_download.png (23,070 bytes)   
reporter_download.png (23,070 bytes)   
viewer.png (14,080 bytes)   
viewer.png (14,080 bytes)   

Relationships

duplicate of 0027039 closeddregad CVE-2020-25781: Access to private bug note attachments 

Activities

dregad

dregad

2020-09-09 04:12

developer   ~0064386

Thanks for your report. This issue has been reported previously (0027039) but as the issue is private you do not currently have access to it.
I'm resolving this as duplicate.