Mantis Unauthorized Project Bug List Viewing Vulnerability

Mantis Unauthorized Project Bug List Viewing Vulnerability

Solution:
The vendor has included a source code fix:

Add the following function to core_user_API.php:

# Check to see if the current user has access on the specified project
function check_access_to_project( $p_project_id ) {
$t_project_view_state = get_project_field( $p_project_id,
'view_state' );

# Administrators ALWAYS pass.
if ( get_current_user_field( 'access_level' ) >= ADMINISTRATOR ) {
return;
}

# public project accept all users
if ( PUBLIC == $t_project_view_state ) {
return;
} else {
# private projects require users to be assigned
$t_project_access_level = get_project_access_level( $p_project_id );
# -1 means not assigned, kick them out to the project selection screen
if ( -1 == $t_project_access_level ) {
print_header_redirect( 'login_select_proj_page.php' );
} else { # passed
return;
}
}
}

And in view_all_bug_page.php, replace the following lines:

$t_where_clause .= ')';
}
} else {
$t_where_clause = " WHERE project_id='$g_project_cookie_val'";
}
# end project selection

with the following lines:
$t_where_clause .= ')';
}
} else {
check_access_to_project($g_project_cookie_val);
$t_where_clause = " WHERE project_id='$g_project_cookie_val'";
}
# end project selection

The vendor has addressed this issue in Mantis 0.17.4 and later:

Mantis Mantis 0.15.10