First published: Tue Jun 30 2015(Updated: )
In MantisBT, the "Project Documentation" feature can be used to attach files to a project. When this feature is enabled ($g_enable_project_documentation = ON) and the threshold to view these files is left to its default value ($g_view_proj_doc_threshold = ANYBODY), any registered user in the system can download every such attachment, including those which are linked to private projects to which the user does not have access. This can be achieved by calling the download script directly, and specifying the ID of the file to download, e.g. <a href="http://example.com/mantis/file_download.php?file_id=123&type=doc">http://example.com/mantis/file_download.php?file_id=123&type=doc</a> Affected versions: - <= 1.2.19 - <= 1.3.0-beta.2 Originally reported on <a href="http://seclists.org/oss-sec/2015/q2/791">http://seclists.org/oss-sec/2015/q2/791</a> Upstream patches: - 1.2.x: <a href="http://github.com/mantisbt/mantisbt/commit/f39cf525">http://github.com/mantisbt/mantisbt/commit/f39cf525</a> - 1.3.x: <a href="http://github.com/mantisbt/mantisbt/commit/a4be76d6">http://github.com/mantisbt/mantisbt/commit/a4be76d6</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/MantisBT | <1.2.20 | 1.2.20 |
redhat/MantisBT | <1.3.0 | 1.3.0 |
Mantisbt Mantisbt | <=1.2.19 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.