Index: file_download.php
===================================================================
RCS file: /cvsroot/mantisbt/mantisbt/file_download.php,v
retrieving revision 1.25
diff -u -u -r1.25 file_download.php
--- file_download.php	11 Jan 2004 07:16:06 -0000	1.25
+++ file_download.php	18 Mar 2004 11:43:02 -0000
@@ -25,12 +25,10 @@
 	$f_type		= gpc_get_string( 'type' );
 
 	$c_file_id = (integer)$f_file_id;
-	#access_ensure_project_level( config_get( 'handle_bug_threshold' ) );
-	# @@@ We need a security check here but we need the API to
-	#   get the project_id or bug_id from the file first.
 
 	# we handle the case where the file is attached to a bug
 	# or attached to a project as a project doc.
+	$query = '';
 	switch ( $f_type ) {
 		case 'bug':
 			$t_bug_file_table = config_get( 'mantis_bug_file_table' );
@@ -44,11 +42,29 @@
 				FROM $t_project_file_table
 				WHERE id='$c_file_id'";
 			break;
+		default:
+			access_denied();
 	}
 	$result = db_query( $query );
 	$row = db_fetch_array( $result );
 	extract( $row, EXTR_PREFIX_ALL, 'v' );
 
+	# Check access rights
+	switch ( $f_type ) {
+		case 'bug':
+			if ( ! bug_is_user_reporter( $v_bug_id, auth_get_current_user_id() ) ) {
+				access_ensure_bug_level( config_get( 'view_attachments_threshold' ), $v_bug_id );
+			}
+			break;
+		case 'doc':
+			# Check if project documentation feature is enabled.
+			if ( OFF == config_get( 'enable_project_documentation' ) ) {
+				access_denied();
+			}
+
+			access_ensure_project_level( config_get( 'view_proj_doc_threshold' ), $v_project_id );
+			break;
+	}
 	header( 'Content-type: ' . $v_file_type );
 	header( 'Content-Length: ' . $v_filesize );
 	header( 'Content-Disposition: filename=' . file_get_display_name( $v_filename ) );
@@ -60,7 +76,7 @@
 			if ( file_exists( $v_diskfile ) ) {
 				readfile( $v_diskfile );
 			}
-		break;
+			break;
 		case FTP:
 			if ( file_exists( $v_diskfile ) ) {
 				readfile( $v_diskfile );
@@ -70,7 +86,7 @@
 				file_ftp_disconnect( $ftp );
 				readfile( $v_diskfile );
 			}
-		break;
+			break;
 		default:
 			echo $v_content;
 	}

[Mantis Advisory/2004-01] Various vulnerabilities in Mantis

0. Table of Contents

1. Introduction
2. Summary / Impact analysis
3. Affected versions
4. Workaround / Solution
5. Credit
6. Contact details

1. Introduction

Mantis is an Open Source web-based bugtracking system, written in PHP, which
uses the MySQL database server. It is being actively developed by a small
group of developers, and is considered to be in the beta stage.

2. Summary / Impact analysis

When configured, Mantis allows users to attach files to both bugs and projects.
The script that allows users to download these files contained two 
vulnerabilities.

First of all, the script did not check whether the user was allowed to view the
attached files. This made it possible for anyone with an account on the 
installation (or through anonymous access) to view any file uploaded to the 
bug tracker.

Secondly, the script did not properly initialise a variable used to build a 
SQL query. This made it possible for anyone with an account on the 
installation (or again with anonymous access) to execute an arbitrary query, 
under the permissions of the Mantis database user. A malicious user could 
elevate his access to the bug tracker, add, modify or delete any information 
in the bug tracker or (on misconfigured systems) modify or access information
in other databases. However, only installations with 'register_globals' enabled
in PHP are vulnerable to this attack. This option has been disabled by default
since PHP 4.2.0.

3. Affected versions

The following versions are affected:
Mantis 0.18.2
Mantis 0.18.1
Mantis 0.18.0 (including all alpha versions)
Mantis 0.17.5
Mantis 0.17.4a
Mantis 0.17.4
Mantis 0.17.3
Mantis 0.17.2
Mantis 0.17.1
Mantis 0.17.0

4. Workaround / Solution

Mantis 0.18.3 fixes this problem. Users are suggested to upgrade to this version 
when possible.

The first problem (access to files) can be prevented by not attaching any files
to bugs or projects, or possibly by replacing file_download.php with version from
Mantis 0.18.3.

The second problem can be prevented by disabling register_globals in PHP (for 
example using a php.ini file in the Mantis directory). Mantis will work fine with
this option disabled.

5. Credit

These vulnerabilities were discovered by Victor Boctor, a member of the Mantis 
development team.

7. Contact details

The latest version of Mantis is always available from:
http://mantisbt.org/

The current version is 0.18.3, which can be downloaded from
http://mantisbt.org/download.php

If you have any questions about this vulnerability, or wish to report
another, you can contact the developers at:
mailto:mantisbt-security@lists.sourceforge.net
This is a private mailinglist, read only by a few developers.