View Issue Details

IDProjectCategoryView StatusLast Update
0027369mantisbtsecuritypublic2021-01-09 16:55
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionwon't fix 
PlatformWindowsOSWindowsOS VersionWindows10
Summary0027369: Reporter can set the ETA although the field is not visible in the UI
Description

After enabling the ETA field the reporter can set the ETA value

Steps To Reproduce
  • as reporter send an issue

  • open proxy

  • send the issue

Plain request

POST /mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------28360790916925231732680966577
Content-Length: 2510
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/bug_report_page.php
Cookie: MANTIS_collapse_settings=|reported:0; MANTIS_secure_session=1; PHPSESSID=efcjp3n8q806abi5uiu7ut9nsn; MANTIS_STRING_COOKIE=pl4_WkLG8sIExzmWIYgL7c09BJ5CczC1k0mXiJCbVNnqxHc6lBg9IHNuqXnSla_9; MANTIS_PROJECT_COOKIE=3
Upgrade-Insecure-Requests: 1

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="bug_report_token"

202010014vOW1qEAHwxes_vYndpfweieM3YOFd_l
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="m_id"

0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="project_id"

3
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="category_id"

1
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="reproducibility"

70
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="severity"

50
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="priority"

30
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="platform"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="os"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="os_build"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="product_version"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="build"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="summary"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="description"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="steps_to_reproduce"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="additional_info"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_string"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_select"

0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="max_file_size"

5000000
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="view_state"

10
-----------------------------28360790916925231732680966577--
  • select any non-required field, in my case I select the os field, rename it with eta and set a value of 20

Exploit request

POST /mantisbt-2.24.3/bug_report.php?posted=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------28360790916925231732680966577
Content-Length: 2510
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/bug_report_page.php
Cookie: MANTIS_collapse_settings=|reported:0; MANTIS_secure_session=1; PHPSESSID=efcjp3n8q806abi5uiu7ut9nsn; MANTIS_STRING_COOKIE=pl4_WkLG8sIExzmWIYgL7c09BJ5CczC1k0mXiJCbVNnqxHc6lBg9IHNuqXnSla_9; MANTIS_PROJECT_COOKIE=3
Upgrade-Insecure-Requests: 1

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="bug_report_token"

202010014vOW1qEAHwxes_vYndpfweieM3YOFd_l
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="m_id"

0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="project_id"

3
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="category_id"

1
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="reproducibility"

70
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="severity"

50
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="priority"

30
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="platform"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="eta"

20
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="os_build"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="product_version"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="build"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="summary"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="description"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="steps_to_reproduce"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="additional_info"

test issue no eta
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_string"

-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="tag_select"

0
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="max_file_size"

5000000
-----------------------------28360790916925231732680966577
Content-Disposition: form-data; name="view_state"

10
-----------------------------28360790916925231732680966577--

Exploit response (I just select the success part)

<div class="btn-group">view.php?id=14view_all_bug_page.php</div>
  • refresh the site and the ETA field will render < 1 day
Additional Information
  • enable the ETA
TagsNo tags attached.

Activities

d3vpoo1

d3vpoo1

2020-10-01 03:53

reporter   ~0064515

Last edited: 2020-10-01 04:01

The same thing with projection

Update weird behavior :

  • after trying to edit the version the report will automatically assigned to admin

I ran diff (default config and to my modified config)

371c371
< $g_signup_use_captcha = OFF;
---
> $g_signup_use_captcha = ON;
405c405
< $g_antispam_max_event_count = 0;
---
> $g_antispam_max_event_count = 10;
1081c1081
< $g_enable_project_documentation = ON;
---
> $g_enable_project_documentation = OFF;
1087c1087
< $g_show_project_menu_bar = ON;
---
> $g_show_project_menu_bar = OFF;
1102c1102
< $g_show_priority_text = ON;
---
> $g_show_priority_text = OFF;
1243c1243
< $g_show_avatar = ON;
---
> $g_show_avatar = OFF;
1364c1364
< $g_news_enabled = ON;
---
> $g_news_enabled = OFF;
1487c1487
< $g_allow_parent_of_unresolved_to_close = ON;
---
> $g_allow_parent_of_unresolved_to_close = OFF;
2027c2027
< $g_reauthentication = OFF;
---
> $g_reauthentication = ON;
2362c2362
< $g_allow_delete_own_attachments = ON;
---
> $g_allow_delete_own_attachments = OFF;
2372c2372
< $g_enable_eta = ON;
---
> $g_enable_eta = OFF;
2378c2378
< $g_enable_projection = ON;
---
> $g_enable_projection = OFF;
2384c2384
< $g_enable_product_build = ON;
---
> $g_enable_product_build = OFF;
2997c2997
< $g_allow_reporter_close        = ON;
---
> $g_allow_reporter_close        = OFF;
3026c3026
< $g_allow_anonymous_login = OFF        ;
---
> $g_allow_anonymous_login = OFF;
dregad

dregad

2020-11-22 05:27

developer   ~0064676

Proposed fix would be to only allow update of the fields defined in $g_bug_report_page_fields.

Update weird behavior :
after trying to edit the version the report will automatically assigned to admin

I can't reproduce this. Could be caused by using a category with an assigned to defined to your admin account.

dregad

dregad

2020-12-29 18:49

developer   ~0064863

@vboctor provided the following feedback:

I think often fields are hidden from the UX to simplify the report issue page for users. However, that doesn't mean the submissions from API should filter this data out. I would fail (rather than filter data from) requests with fields that user doesn't have access to set, but not based on what is visible in the report page form.

Based on that, I will close this as won't fix as what you reported as a security issue is in fact expected behavior.

dregad

dregad

2020-12-29 18:55

developer   ~0064864

For the record, attached is the proposed fix that led to this decision.

0001-Only-update-allowed-fields-when-reporting-issues.patch (2,491 bytes)   
From 661c00515842794f56629c1affec195940616784 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sun, 22 Nov 2020 12:03:52 +0100
Subject: [PATCH] Only update allowed fields when reporting issues

Prior to this, users were able to update fields that are not available
in bug_report_page.php ($g_bug_report_page_fields).

Fixes #27369
---
 core/commands/IssueAddCommand.php | 49 +++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/core/commands/IssueAddCommand.php b/core/commands/IssueAddCommand.php
index e3b5e45b9..fe8607259 100644
--- a/core/commands/IssueAddCommand.php
+++ b/core/commands/IssueAddCommand.php
@@ -161,6 +161,10 @@ class IssueAddCommand extends Command {
 				'User does not have access right to report issues',
 				ERROR_ACCESS_DENIED );
 		}
+		
+		# Making sure we're not setting any fields that are not available
+		# due to config settings. 
+		$this->exclude_unavailable_fields( $t_issue );
 
 		$t_handler_id = isset( $t_issue['handler'] ) ? mci_get_user_id( $t_issue['handler'] ) : NO_USER;
 		$t_priority_id = isset( $t_issue['priority'] ) ? mci_get_priority_id( $t_issue['priority'] ) : config_get( 'default_bug_priority' );
@@ -505,5 +509,50 @@ class IssueAddCommand extends Command {
 		}
 		return $t_tag_id;
 	}
+
+	/**
+	 * Remove unavailable fields from the payload.
+	 *
+	 * Remove from the Issue payload the fields that are not available in report
+	 * issue context based on configuration.
+	 * @see $g_bug_report_page_fields
+	 * 
+	 * @param array $t_issue
+	 */
+	private function exclude_unavailable_fields( array &$t_issue ) {
+		$t_available_fields = array_merge(
+			columns_filter_disabled( config_get( 'bug_report_page_fields' ) ),
+			array( 'custom_fields', 'profile' )
+		);
+		
+		foreach( array_keys( $t_issue ) as $t_field ) {
+			# Mapping fields names from payload to config when different
+			switch( $t_field ) {
+				case 'additional_information':
+					$t_field = 'additional_info';
+					break;
+				case 'files':
+					$t_field = 'attachments';
+					break;
+				case 'category':
+					$t_field = 'category_id';
+					break;
+				case 'os_build':
+					$t_field = 'os_version';
+					break;
+				case 'build':
+					$t_field = 'product_build';
+					break;
+				case 'version':
+					$t_field = 'product_version';
+					break;
+			}
+
+			# Remove the field
+			if( !in_array( $t_field, $t_available_fields ) ) {
+				unset( $t_issue[$t_field] );
+			}
+		}
+	}
 }
 
-- 
2.25.1