View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027268 | mantisbt | security | public | 2020-09-09 20:43 | 2020-11-05 11:33 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | high | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Windows | OS | Windows | OS Version | Windows 10 |
Target Version | 2.24.3 | Fixed in Version | 2.24.3 | ||
Summary | 0027268: Admin can get issues assigned to users not allowed to handle them | ||||
Description | The endpoint : http://<HOST>/manage_proj_cat_edit_page.php?id=1&project_id=1 allows the admin to set the "assigned" to non-admin/non manager via assigned_to parameter | ||||
Steps To Reproduce |
Request :
manage_proj_cat_update_token=<SOME-TOKEN>&project_id=1&category_id=1&name=General&assigned_to=<VULNERABLE> Response :
EDIT (dregad): Moved HTML of success page to attachment.
| ||||
Additional Information | In images the default selection are just admin/manager | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug confirmed, thanks for the report. |
|
Are you guys assigning CVE for this one? |
|
Considering it's a rather minor bug without significant consequences (being an issue's handler does not give that user any special access to the issue), I was not planning to, no. |
|
MantisBT: master-2.24 dd86c9c0 2020-09-20 06:24 Details Diff |
Prevent assignment of categories to non-handler users manage_proj_cat_update.php did not perform the necessary checks on the provided user id (assigned_to parameter), allowing users with an access level below handle_bug_threshold to be assigned to a category, and subsequently to bugs created in that category. Also added a check to ensure the provided user id is valid. As suggested by @atrol, the checks are performed in Category API. Fixes 0027268 |
Affected Issues 0027268 |
|
mod - core/category_api.php | Diff File |