0032981: CVE-2023-44394: Information Leakage on DokuWiki Integration

ID	Project	Category	View Status	Date Submitted	Last Update

0032981	mantisbt	security	public	2023-09-30 21:00	2023-10-14 12:28

Reporter	PR_CSO	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.25.7
Target Version	2.25.8	Fixed in Version	2.25.8

Summary	0032981: CVE-2023-44394: Information Leakage on DokuWiki Integration
Description	When an integration between mantisbt and dokuwiki is active, given a valid (may be self registered) user without any permission on any project, by visiting the page /mantisbt/wiki.php?type=project&id=<n> a 302 redirection occours to /dokuwiki/doku.php?id=mantis:<Project Name> Since the project id is an auto-increment, this value can be easily guessed/brute forced. As the user doesn't have any permission on projects, the name of each project should not be showed (in some case it can disclose the name of customers of a software supplier). Doing a rapid brute force from 1 to 1000 it was possible, during my tests, to retrieve the entire list of projects/customers.
Additional Information	GitHub security advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m
Tags	No tags attached.

dregad 2023-10-02 11:34 developer ~0068163	Problem confirmed. An access denied error should be displayed instead of redirecting.

dregad 2023-10-03 04:28 developer ~0068166	@PR_CSO I'm going to open a security advisory on Github for this and get a CVE assigned. Let me know if you would like to be credited for the finding, and if so, how you want your name to appear.

dregad 2023-10-03 06:46 developer ~0068168	@PR_CSO If you give me know your GitHub account, I can add you to the Advisory, so you can review and test the fix.

PR_CSO 2023-10-03 07:33 reporter ~0068170	My github username is jeky-- I am not interested in any credits on the CVE. Thanks

dregad 2023-10-03 11:43 developer ~0068171	I added you (`jeky--`) as collaborator on the advisory, you should have received a notification. I'll push the fix ASAP - hopefully later tonight.

dregad 2023-10-08 05:43 developer ~0068191	CVE-2023-44394 assigned. @PR_CSO testing and feedback on the patch would be appreciated (here, or preferably in the pull request)

dregad 2023-10-14 12:17 developer ~0068203	GitHub advisory published

MantisBT: master-2.25 65c44883 2023-10-14 12:09 dregad Committer: community Details Diff	Merge pull request from GHSA-v642-mh27-8j6m Due to insufficient access-level checks on the Wiki redirection page, any user could reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. Fixes 0032981, CVE-2023-44394		Affected Issues 0032981
	mod - wiki.php		Diff File