Can you explain this vulnerability to me?

Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier have an authorization bypass vulnerability related to the private issue monitoring feature.

A user with project-level access can send a specially crafted POST request to the bug_monitor_add.php script to add themselves as a monitor for a private issue they are not authorized to access.

Although the application shows an Access Denied error, it still processes the request and creates a monitor relationship for the private issue.

While direct access to the private issue remains blocked, the unauthorized user will receive email notifications about updates to that private issue, which leads to disclosure of the issue's metadata and content.

This vulnerability was fixed in MantisBT version 2.28.2.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of private issue information.

An attacker with project-level access can monitor private issues they should not see, receiving email notifications that reveal sensitive metadata and content.

Although the attacker cannot directly access the private issue through the application, the leaked email notifications can expose confidential information.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Mantis Bug Tracker to version 2.28.2 or later, where the issue has been fixed.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized users with project-level access to monitor private issues and receive email notifications containing metadata and content of those private issues. Although direct access to the private issue remains blocked, the disclosure of private information via email notifications could lead to unauthorized exposure of sensitive data.

Such unauthorized disclosure of private information may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to and disclosure of personal or sensitive information. Organizations using affected versions of MantisBT might face increased risk of non-compliance due to this information leakage.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves an authorization bypass through crafted POST requests to the bug_monitor_add.php endpoint in Mantis Bug Tracker versions 2.28.1 and prior. Detection involves monitoring for unusual or unauthorized POST requests to this endpoint where users add themselves as monitors to private issues they should not have access to.

To detect exploitation attempts on your system or network, you can inspect web server logs or use network monitoring tools to identify POST requests to bug_monitor_add.php with suspicious parameters or originating from users with limited project-level access.

Example commands to detect such activity might include:

• Using grep to search web server access logs for POST requests to bug_monitor_add.php: grep 'POST /bug_monitor_add.php' /var/log/apache2/access.log
• Using grep to find POST requests with suspicious user IDs or parameters (adjust parameters as needed): grep 'POST /bug_monitor_add.php' /var/log/apache2/access.log | grep 'monitor_add'
• Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to bug_monitor_add.php: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /bug_monitor_add.php'

Note that these commands are generic and should be adapted to your environment, log locations, and monitoring tools. Additionally, reviewing user activity logs within MantisBT for unexpected monitor additions to private issues can help detect exploitation.

Useful 0 Not Useful 0