CVE Request: information disclosure in MantisBT attachments

[Damien Regad <dregad () mantisbt org>]

Please assign a CVE ID for the following issue.


Description:

MantisBT issue attachments can be downloaded without permission.

Due to an incorrect access check, by guessing the download URL 
correctly, unprivileged users can download files from a private project 
with restricted access to attachments, i.e. where 
$g_download_attachments_threshold /
$g_view_attachments_threshold are set e.g. to 55 (developer), if another 
project to which they have access does not restrict attachments download.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was discovered by Florian Fuchs and fixed by Paul Richards (former 
MantisBT developer)

References:
Further details available in our issue tracker [2]


D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/5f0b150b
[2] http://www.mantisbt.org/bugs/view.php?id=17742