[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: Information disclosure in MantisBT
From:       Damien Regad <dregad () mantisbt ! org>
Date:       2015-06-25 7:09:35
Message-ID: loom.20150625T090750-338 () post ! gmane ! org
[Download RAW message or body]

 <cve-assign@...> writes:

> Use CVE-2015-5059 for the issue in which $g_view_proj_doc_threshold
> had been ANYBODY but is supposed to be VIEWER.

Thanks for the CVE. 

> Is there any related security problem caused by this possible
> inconsistency in the code:
> 
>   define( 'ANYBODY', 0 );
> 
>   function access_get_global_level
> 
>           if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
>                   return false;
> 
>   function access_get_project_level
> 
>           if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
>                   return ANYBODY;
> 
> ? In other words, is an unauthenticated client sometimes, but not always,
> considered to have the ANYBODY access level?

Thanks for bringing this to my attention. At first glance it certainly looks
like an inconsistency; I will review the code in detail to determine whether
this is intentional or not, and will let you know.

Cheers
Damien


[prev in list] [next in list] [prev in thread] [next in thread]