Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce, additional information) when cloning. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public (except private notes). Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding. @atrol noted that the same vulnerability also existed in bug_report.php, although in this case the information disclosure is limited to notes and attachments (issue data itself does not become accessible). Added an access level check, so that the operation now fails with an Access Denied error in both cases. Backported from 1fbcd9b Fixes #24365, CVE-2018-9839
mantisbt · Apr 25, 2018 · 5cbf97f · 5cbf97f
1 parent 6ad90df
commit 5cbf97f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/bug_report.php b/bug_report.php
@@ -82,6 +82,10 @@
 $f_master_bug_id = gpc_get_int( 'm_id', 0 );
 if( $f_master_bug_id > 0 ) {
 	bug_ensure_exists( $f_master_bug_id );
+
+	# User can view the master bug
+	access_ensure_bug_level( config_get( 'view_bug_threshold' ), $f_master_bug_id );
+
 	if( bug_is_readonly( $f_master_bug_id ) ) {
 		error_parameters( $f_master_bug_id );
 		trigger_error( ERROR_BUG_READ_ONLY_ACTION_DENIED, ERROR );

diff --git a/bug_report_page.php b/bug_report_page.php
@@ -89,6 +89,9 @@
 		trigger_error( ERROR_BUG_READ_ONLY_ACTION_DENIED, ERROR );
 	}
 
+	# User can view the master bug
+	access_ensure_bug_level( config_get( 'view_bug_threshold' ), $f_master_bug_id );
+
 	$t_bug = bug_get( $f_master_bug_id, true );
 
 	#@@@ (thraxisp) Note that the master bug is cloned into the same project as the master, independent of