Bug#669925: mantis: CVE-2012-1120 (split of CVEs in #662858 for better tracking)

Sat, 21 Apr 2012 17:15:15 -0700 

tags 669925 +patch
thanks

Hi,

Attached you'll find a possible patch for CVE-2012-1120.


Description: Fix for CVE-2012-1120: 
Delete_bug_threshold/bugnote_allow_user_edit_delete access check
bypass
Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13656
Bug-Debian: http://bugs.debian.org/669925
Origin: 
https://github.com/mantisbt/mantisbt/commit/df7782a65e96aa1c9639a7625a658102134c7fe0
        
https://github.com/mantisbt/mantisbt/commit/9d3f5783e6e0a4faf4fae13c769c9bfd45bf063c
Last-Update: 2012-04-21


Note: Needs some testing!


Regards,

-- 
 Dario Minnucci <mid...@debian.org>
 Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000
 Key fingerprint = BAA1 7AAF B21D 6567 D457  D67D A82F BB83 F3D5 7033


Description: Fix for CVE-2012-1120: Delete_bug_threshold/bugnote_allow_user_edit_delete
             access check bypass 
Bug-Mantis: http://www.mantisbt.org/bugs/view.php?id=13656
Bug-Debian: http://bugs.debian.org/669925
Origin: https://github.com/mantisbt/mantisbt/commit/df7782a65e96aa1c9639a7625a658102134c7fe0
        https://github.com/mantisbt/mantisbt/commit/9d3f5783e6e0a4faf4fae13c769c9bfd45bf063c
Last-Update: 2012-04-21
Index: mantis/api/soap/mc_issue_api.php
===================================================================
--- mantis.orig/api/soap/mc_issue_api.php	2012-04-21 22:16:58.748666486 +0200
+++ mantis/api/soap/mc_issue_api.php	2012-04-21 22:58:28.251905275 +0200
@@ -729,6 +729,10 @@
 			return new soap_fault( 'Client', '', 'Access Denied' );
 		}
 
+		if ( !access_has_bug_level( config_get( 'delete_bug_threshold' ), $p_issue_id, $t_user_id ) ) {
+			return mci_soap_fault_access_denied( $t_user_id );
+		}
+
 		return bug_delete( $p_issue_id );
 	}
 
@@ -806,6 +810,15 @@
 			return new soap_fault( 'Client', '', 'Access Denied' );
 		}
 
+		$t_reporter_id = bugnote_get_field( $p_issue_note_id, 'reporter_id' );
+
+		// mirrors check from bugnote_delete.php
+		if ( ( $t_user_id != $t_reporter_id ) || ( OFF == config_get( 'bugnote_allow_user_edit_delete' ) ) ) {
+			if ( !access_has_bugnote_level( config_get( 'delete_bugnote_threshold' ), $p_issue_note_id ) ) {
+				return mci_soap_fault_access_denied( $t_user_id );
+			}
+		}
+
 		return bugnote_delete( $p_issue_note_id );
  	}

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to