MantisBT - Site
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0003521Site[All Projects] Bugpublic2018-09-25 00:562018-10-28 00:52
ReporterWubTheCaptain 
Assigned ToBlzut3 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Summary0003521: Summaries of issues marked with "private" view status can be discovered by unprivileged users
DescriptionI assume this is what's happening.

MantisBT's "Gauge Support" plugin (aka "Issue Support Ranking") displays summaries of tickets marked with "private" view status. They cannot however be read by unprivileged users.

For example: Zandronum project issue #3407 summary talks about security risks related to files, with 1 person strongly supporting it. The summary alone gives context for an attacker to exploit things. (I'm not mentioning the exact title here without "ok" from Blzut3 or something, for a chance to set the view status of this to public later.)

This became an issue since the functionality was fixed in ticket 0002795 yesterday. I don't know what the situation was before it was broken.
Steps To Reproduce'https://zandronum.com/tracker/plugin.php?page=GaugeSupport/issue_ranking&show=bottom&num=all [^]'
'https://zandronum.com/tracker/plugin.php?page=GaugeSupport/issue_ranking&show=top&num=all [^]'
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2018-09-25 00:56WubTheCaptainNew Issue
2018-09-25 00:56WubTheCaptainNote Added: 0019732
2018-09-25 01:00WubTheCaptainNote Added: 0019733
2018-09-25 01:05WubTheCaptainNote Added: 0019734
2018-09-25 03:57Blzut3Assigned To => Blzut3
2018-09-25 03:57Blzut3Statusnew => assigned
2018-09-25 04:08WubTheCaptainNote Added: 0019753
2018-09-25 04:11WubTheCaptainNote Deleted: 0019753
2018-09-26 01:01Blzut3Note Added: 0019773
2018-09-26 01:01Blzut3Statusassigned => resolved
2018-09-26 01:01Blzut3Resolutionopen => fixed
2018-09-26 02:22WubTheCaptainNote Added: 0019777
2018-09-26 02:22WubTheCaptainStatusresolved => feedback
2018-09-26 02:22WubTheCaptainResolutionfixed => reopened
2018-09-26 02:23WubTheCaptainNote Added: 0019778
2018-09-26 02:23WubTheCaptainStatusfeedback => assigned
2018-09-27 01:29Blzut3View Statusprivate => public
2018-09-27 01:31Blzut3Note Added: 0019783
2018-09-27 01:31Blzut3Statusassigned => resolved
2018-09-27 01:31Blzut3Resolutionreopened => fixed
2018-10-28 00:52Blzut3Statusresolved => closed

Notes
(0019732)
WubTheCaptain   
2018-09-25 00:56   
Possibly "exploit" severity, but I gave it a benefit of doubt.
(0019733)
WubTheCaptain   
2018-09-25 01:00   
While creating this ticket, I tried judging between "public" and "private" view status for this ticket. I set it to "private", but had to modify the summary to be ambiguous without instruction how to do it.

Perhaps I should've contacted Blzut3 privately via email, if this is a concern?
(0019734)
WubTheCaptain   
2018-09-25 01:05   
Oh, and this ticket is not affected by the bug as long as nobody is showing community support for this ticket.
(0019773)
Blzut3   
2018-09-26 01:01   
Removed private issues from the support ranking.
(0019777)
WubTheCaptain   
2018-09-26 02:22   
Can this issue's view status be set public? Please feel free to redact details about issue #3407 in OP, I cannot edit it. Any private notes with proofs of concept in this issue's notes may remain private.
(0019778)
WubTheCaptain   
2018-09-26 02:23   
Also, another issue related to bug note IDs revealing private issue summaries was fixed.
(0019783)
Blzut3   
2018-09-27 01:31   
If you want I suppose there's no harm in making the ticket public. I wasn't going to bother since the issue doesn't really affect anyone.

I don't think anything you said in public notes is problematic.