Mantis未通过验证可以查看Bug漏洞
添加时间:
2005-08-13
系统编号:
WAVDB-00214
BUGTRAQ: 5563
影响版本:
Mantis 0.17.4a-0.17.1
程序介绍:
解决方案:
临时解决方法:
如果您不能立刻安装补丁或者升级,建议您采取以下措施以降低威胁:
diff -u -r mantis-0.17.4a/bug_update_advanced_page.php
mantis-0.17.5/bug_update_advanced_page.php
--- mantis-0.17.4a/bug_update_advanced_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_advanced_page.php Fri Aug 23 11:55:52 2002
@@ -26,6 +26,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/bug_update_page.php mantis-0.17.5/bug_update_page.php
--- mantis-0.17.4a/bug_update_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_page.php Fri Aug 23 11:56:06 2002
@@ -27,6 +27,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/core_user_API.php mantis-0.17.5/core_user_API.php
--- mantis-0.17.4a/core_user_API.php Sun Aug 18 08:57:20 2002
+++ mantis-0.17.5/core_user_API.php Fri Aug 23 11:52:43 2002
@@ -577,6 +577,23 @@
}
}
# --------------------
+ # check to see if the current user has access to the specified bug.
This assumes that the bug exists and
+ # that the user has access to the project (check_bug_exists() and
project_access_check()).
+ function access_bug_check( $p_bug_id, $p_view_state='' ) {
+ global $g_private_bug_threshold;
+
+ if ( empty ( $p_view_state ) ) {
+ $t_view_state = get_bug_field( $p_bug_id,
'view_state' );
+ } else {
+ $t_view_state = (integer)$p_view_state;
+ }
+
+ # Make sure if the bug is private, the logged in user has
access to it.
+ if ( ( $t_view_state == PRIVATE ) &&
!access_level_check_greater_or_equal( $g_private_bug_threshold ) ) {
+ print_header_redirect( 'logout_page.php' );
+ }
+ }
+ # --------------------
###########################################################################
# User Information API
###########################################################################
diff -u -r mantis-0.17.4a/view_bug_advanced_page.php
mantis-0.17.5/view_bug_advanced_page.php
--- mantis-0.17.4a/view_bug_advanced_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_advanced_page.php Fri Aug 23 11:56:29 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/view_bug_page.php mantis-0.17.5/view_bug_page.php
--- mantis-0.17.4a/view_bug_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_page.php Fri Aug 23 11:57:00 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
厂商补丁:
Mantis
------
目前厂商已经发布了0.17.5以修复这个安全问题,请到厂商的主页下载:
http://mantisbt.sourceforge.net/download.php3
信息来源:
<*来源:Jeroen Latour (jlatour@calaquendi.net)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103013249211164&w=2
*>
2005-08-13
系统编号:
WAVDB-00214
BUGTRAQ: 5563
影响版本:
Mantis 0.17.4a-0.17.1
程序介绍:
Mantis是一款开放源代码基于WEB的漏洞跟踪系统,由PHP编写,MYSQL后台支持。
漏洞分析:
Mantis实现上存在漏洞,攻击者可能利用此漏洞访问到他本应该没有权限看到的漏洞。
Mantis有许多脚本浏览bug数据的时候没有检查用户的权限,远程攻击者可以直接调用这些脚本,并且通过CGI的参数指定bug ID即可浏览所有数据。
解决方案:
临时解决方法:
如果您不能立刻安装补丁或者升级,建议您采取以下措施以降低威胁:
diff -u -r mantis-0.17.4a/bug_update_advanced_page.php
mantis-0.17.5/bug_update_advanced_page.php
--- mantis-0.17.4a/bug_update_advanced_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_advanced_page.php Fri Aug 23 11:55:52 2002
@@ -26,6 +26,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/bug_update_page.php mantis-0.17.5/bug_update_page.php
--- mantis-0.17.4a/bug_update_page.php Mon May 20 03:34:20 2002
+++ mantis-0.17.5/bug_update_page.php Fri Aug 23 11:56:06 2002
@@ -27,6 +27,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/core_user_API.php mantis-0.17.5/core_user_API.php
--- mantis-0.17.4a/core_user_API.php Sun Aug 18 08:57:20 2002
+++ mantis-0.17.5/core_user_API.php Fri Aug 23 11:52:43 2002
@@ -577,6 +577,23 @@
}
}
# --------------------
+ # check to see if the current user has access to the specified bug.
This assumes that the bug exists and
+ # that the user has access to the project (check_bug_exists() and
project_access_check()).
+ function access_bug_check( $p_bug_id, $p_view_state='' ) {
+ global $g_private_bug_threshold;
+
+ if ( empty ( $p_view_state ) ) {
+ $t_view_state = get_bug_field( $p_bug_id,
'view_state' );
+ } else {
+ $t_view_state = (integer)$p_view_state;
+ }
+
+ # Make sure if the bug is private, the logged in user has
access to it.
+ if ( ( $t_view_state == PRIVATE ) &&
!access_level_check_greater_or_equal( $g_private_bug_threshold ) ) {
+ print_header_redirect( 'logout_page.php' );
+ }
+ }
+ # --------------------
###########################################################################
# User Information API
###########################################################################
diff -u -r mantis-0.17.4a/view_bug_advanced_page.php
mantis-0.17.5/view_bug_advanced_page.php
--- mantis-0.17.4a/view_bug_advanced_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_advanced_page.php Fri Aug 23 11:56:29 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
diff -u -r mantis-0.17.4a/view_bug_page.php mantis-0.17.5/view_bug_page.php
--- mantis-0.17.4a/view_bug_page.php Mon May 20 03:34:21 2002
+++ mantis-0.17.5/view_bug_page.php Fri Aug 23 11:57:00 2002
@@ -22,6 +22,9 @@
$result = db_query( $query );
$row = db_fetch_array( $result );
extract( $row, EXTR_PREFIX_ALL, v );
+
+ # if bug is private, make sure user can view private bugs
+ access_bug_check( $f_id, $v_view_state );
$query = SELECT *
FROM $g_mantis_bug_text_table
厂商补丁:
Mantis
------
目前厂商已经发布了0.17.5以修复这个安全问题,请到厂商的主页下载:
http://mantisbt.sourceforge.net/download.php3
信息来源:
<*来源:Jeroen Latour (jlatour@calaquendi.net)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103013249211164&w=2
*>