Skip to content
Permalink
Browse files

Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

@atrol noted that the same vulnerability also existed in bug_report.php,
although in this case the information disclosure is limited to notes and
attachments (issue data itself does not become accessible).

Added an access level check, so that the operation now fails with an
Access Denied error in both cases.

Fixes #24221, CVE-2018-9839
Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Added an access level check, so that the operation now fails with an
Access Denied error.

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

Fixes #24221
  • Loading branch information...
dregad committed Apr 25, 2018
1 parent 88913cb commit 1fbcd9bca2f2c77cb61624d36ddee4b3802c38ea
Showing with 7 additions and 0 deletions.
  1. +4 −0 bug_report.php
  2. +3 −0 bug_report_page.php
@@ -69,6 +69,10 @@
if( $f_master_bug_id > 0 ) {
bug_ensure_exists( $f_master_bug_id );
# User can view the master bug
access_ensure_bug_level( config_get( 'view_bug_threshold' ), $f_master_bug_id );
if( bug_is_readonly( $f_master_bug_id ) ) {
error_parameters( $f_master_bug_id );
trigger_error( ERROR_BUG_READ_ONLY_ACTION_DENIED, ERROR );
@@ -89,6 +89,9 @@
trigger_error( ERROR_BUG_READ_ONLY_ACTION_DENIED, ERROR );
}
# User can view the master bug
access_ensure_bug_level( config_get( 'view_bug_threshold' ), $f_master_bug_id );
$t_bug = bug_get( $f_master_bug_id, true );
#@@@ (thraxisp) Note that the master bug is cloned into the same project as the master, independent of

0 comments on commit 1fbcd9b

Please sign in to comment.
You can’t perform that action at this time.