oss-sec mailing list archives
Re: CVE Request: Information disclosure in MantisBT
From: Damien Regad <dregad () mantisbt org>
Date: Thu, 25 Jun 2015 07:09:35 +0000 (UTC)
<cve-assign@...> writes:
Use CVE-2015-5059 for the issue in which $g_view_proj_doc_threshold had been ANYBODY but is supposed to be VIEWER.
Thanks for the CVE.
Is there any related security problem caused by this possible inconsistency in the code: define( 'ANYBODY', 0 ); function access_get_global_level if( empty( $p_user_id ) && !auth_is_user_authenticated() ) { return false; function access_get_project_level if( empty( $p_user_id ) && !auth_is_user_authenticated() ) { return ANYBODY; ? In other words, is an unauthenticated client sometimes, but not always, considered to have the ANYBODY access level?
Thanks for bringing this to my attention. At first glance it certainly looks like an inconsistency; I will review the code in detail to determine whether this is intentional or not, and will let you know. Cheers Damien
Current thread:
- CVE Request: Information disclosure in MantisBT Damien Regad (Jun 24)
- Re: CVE Request: Information disclosure in MantisBT cve-assign (Jun 24)
- Re: CVE Request: Information disclosure in MantisBT Damien Regad (Jun 25)
- Re: CVE Request: Information disclosure in MantisBT cve-assign (Jun 24)