• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Mantis Print Reports Limit Reporters Option Bypass Vulnerability

Mantis is a web-based bug tracking system. It is written in PHP and back-ended by a MySQL database.

Mantis is prone to an issue which may allow malicious users of the bug tracking system to gain unauthorized access to restricted bug summaries. This may be a security concern in organizations that use the software to restrict viewing rights of bugs to some users.

Mantis includes the option limit_reporters, which allows users to view only those bugs which they reported. This functionality is not, however, implemented in the 'print_all_bug_page.php' script, used to format bug results for printing. Valid users may be able to view summary information for all bugs, not just those they have reported.