[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE Request: Information disclosure in MantisBT
From: Damien Regad <dregad () mantisbt ! org>
Date: 2015-06-25 7:09:35
Message-ID: loom.20150625T090750-338 () post ! gmane ! org
[Download RAW message or body]
<cve-assign@...> writes:
> Use CVE-2015-5059 for the issue in which $g_view_proj_doc_threshold
> had been ANYBODY but is supposed to be VIEWER.
Thanks for the CVE.
> Is there any related security problem caused by this possible
> inconsistency in the code:
>
> define( 'ANYBODY', 0 );
>
> function access_get_global_level
>
> if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
> return false;
>
> function access_get_project_level
>
> if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
> return ANYBODY;
>
> ? In other words, is an unauthenticated client sometimes, but not always,
> considered to have the ANYBODY access level?
Thanks for bringing this to my attention. At first glance it certainly looks
like an inconsistency; I will review the code in detail to determine whether
this is intentional or not, and will let you know.
Cheers
Damien
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic