View Issue Details

IDProjectCategoryView StatusLast Update
0027361mantisbtsecuritypublic2021-01-21 03:48
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows 10
Target Version2.24.4Fixed in Version2.24.4 
Summary0027361: Private category can be access/used by a non member of a private project (IDOR)
Description

This is almost the same on my previous report however this can be trigger on submitting issues . this can be found onbug_report.php and category_id

Steps To Reproduce
  • Fill up the form

  • Open proxy

  • Edit the value of category_id and set this to the tag that you created for a private project

  • submit it

  • the attacker now view the private category

Additional Information

I will add some stuffs here if I found other issues here (on this endpoint but different parameter)

TagsNo tags attached.

Relationships

related to 0027826 resolveddregad ERROR_CATEGORY_NOT_FOUND_FOR_PROJECT thrown for Category '0' 
related to 0027902 assigneddregad Global categories not usable when creating a project 

Activities

dregad

dregad

2020-11-22 12:54

developer   ~0064678

Bug is confirmed.

An additional check is needed, to ensure that the category is available in the current project hierarchy.

d3vpoo1

d3vpoo1

2020-12-11 02:03

reporter   ~0064784

Out of topic : How you request a CVE ID ? I Found an issue on other software.. I already submit one but they don't reply for almost a month or two.....

dregad

dregad

2020-12-13 11:26

developer   ~0064789

How you request a CVE ID ?

https://lmgtfy.app/?q=request+cve

dregad

dregad

2020-12-14 03:50

developer   ~0064793

Original report only mentioned that the problem existed in bug_report.php, but in fact it is also present in bug_update.php.

Related Changesets

MantisBT: master a4c4865b

2020-11-22 12:54:01

dregad

Details Diff
Prevent setting category not belonging to project

When retrieving a category for a given project, make sure that it is
available in the project's hierarchy, taking inheritance into account.

Fixes 0027361
Affected Issues
0027361, 0027826
mod - api/soap/mc_api.php Diff File

MantisBT: master 889c8d24

2020-12-13 12:06:53

dregad

Details Diff
New API to check category existence within project

Added 2 new functions in Category API: category_exists_in_project() and
category_ensure_exists_in_project.

Improve PHPDoc for category_exists() and category_ensure_exists() to
clearly indicate that they check for a category's existence globally,
unlike the new functions.

Issue 0027361
Affected Issues
0027361, 0027826
mod - api/soap/mc_api.php Diff File
mod - core/category_api.php Diff File

MantisBT: master 5376d2a2

2020-12-13 12:08:50

dregad

Details Diff
Prevent setting category not belonging to project

When retrieving a category for a given project, make sure that it is
available in the project's hierarchy, taking inheritance into account.

This is a follow-up on commit b77859901050b558bfcd28050cff1599d60e45fa
which only covered bug_report.php, when in fact the same problem was
also present in bug_update.php.

Fixes 0027361
Affected Issues
0027361
mod - bug_update.php Diff File

MantisBT: master-2.24 074b3f5d

2021-01-01 11:19:12

dregad

Details Diff
Fix "Category 0 not found" when reporting new issue

By definition, category "0" (no category) does not exist in any project,
but when empty category is allowed ($g_allow_no_category = ON),
category_exists_in_project() should return true.

Regression introduced by a4c4865b2102c2c0bfc53692499514db0b744dc9 in
issue 0027361.

Fixes 0027826
Affected Issues
0027361, 0027826
mod - core/category_api.php Diff File