View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012278 | mantisbt | security | public | 2010-08-22 22:15 | 2019-12-03 10:52 |
Reporter | pklanka | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | acknowledged | Resolution | reopened | ||
Platform | All | OS | All | OS Version | All |
Product Version | 1.1.8 | ||||
Summary | 0012278: User enumeration possible | ||||
Description | Any anonymous user can enumerate all the users (userIDs) in Mantis. This information could be used by anonymous users to bruteforce the accounts. | ||||
Steps To Reproduce | Access the page view_filters.php from an anonymous account - (e.g. https://mantisbt.org/bugs/view_filters_page.php) and get the list of users in the system. | ||||
Tags | No tags attached. | ||||
This is intended behavior. Any anonymous user would easily be able to gather user IDs just by looking through the list of issues anyways, so the usefulness of the feature greatly outweighs the potential misuse. Mantis already has an option in place to curb brute force attacks by setting a limit on failed logins, $g_max_failed_login_count. |
|
Agreed! This should be a valid behavior when the anonymous account is able to access the bugs. However, if the anonymous user is configured such that it cannot read the bugs from the system, this vulnerability exposes the sensitive user login information. As a security best practice, it is recommended to protect the user Ids from being exposed in such a scenario - thus avoiding brute force attack from remotest possibility. In addition, information such as these could be used in social engineering scenarios (apart from brute force vulns) in order to extract other sensitive details from the users. |
|
Suggestion: Introduce new configuration option Change function user_get_name To avoid social engineering this might still not be enough, for example if someone is aware that user with id 18101 is pklanka. |
|
Unassigned from jreese as he is no longer actively developing. |
|