Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <loom.20150625T090750-338@post.gmane.org>
Date: Thu, 25 Jun 2015 07:09:35 +0000 (UTC)
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Information disclosure in MantisBT

 <cve-assign@...> writes:

> Use CVE-2015-5059 for the issue in which $g_view_proj_doc_threshold
> had been ANYBODY but is supposed to be VIEWER.

Thanks for the CVE. 

> Is there any related security problem caused by this possible
> inconsistency in the code:
> 
>   define( 'ANYBODY', 0 );
> 
>   function access_get_global_level
> 
>           if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
>                   return false;
> 
>   function access_get_project_level
> 
>           if( empty( $p_user_id ) && !auth_is_user_authenticated() ) {
>                   return ANYBODY;
> 
> ? In other words, is an unauthenticated client sometimes, but not always,
> considered to have the ANYBODY access level?

Thanks for bringing this to my attention. At first glance it certainly looks
like an inconsistency; I will review the code in detail to determine whether
this is intentional or not, and will let you know.

Cheers
Damien


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.