Chat on our Discord Server
Get the latest version: 3.1Source Code
| Anonymous | Login | Signup for a new account | 2024-04-25 11:57 UTC |  |
| My View | View Issues | Change Log | Roadmap | Site Issue Support Ranking | Rules | My Account |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0003521 | Site | [All Projects] Bug | public | 2018-09-25 00:56 | 2018-10-28 00:52 | ||||
| Reporter | WubTheCaptain | ||||||||
| Assigned To | Blzut3 | ||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Summary | 0003521: Summaries of issues marked with "private" view status can be discovered by unprivileged users | ||||||||
| Description | I assume this is what's happening. MantisBT's "Gauge Support" plugin (aka "Issue Support Ranking") displays summaries of tickets marked with "private" view status. They cannot however be read by unprivileged users. For example: Zandronum project issue #3407 summary talks about security risks related to files, with 1 person strongly supporting it. The summary alone gives context for an attacker to exploit things. (I'm not mentioning the exact title here without "ok" from Blzut3 or something, for a chance to set the view status of this to public later.) This became an issue since the functionality was fixed in ticket 0002795 yesterday. I don't know what the situation was before it was broken. | ||||||||
| Steps To Reproduce | 'https://zandronum.com/tracker/plugin.php?page=GaugeSupport/issue_ranking&show=bottom&num=all [^]' 'https://zandronum.com/tracker/plugin.php?page=GaugeSupport/issue_ranking&show=top&num=all [^]' | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
 (0019732)WubTheCaptain (reporter) 2018-09-25 00:56 |
Possibly "exploit" severity, but I gave it a benefit of doubt. |
|
(0019733) WubTheCaptain (reporter) 2018-09-25 01:00 |
While creating this ticket, I tried judging between "public" and "private" view status for this ticket. I set it to "private", but had to modify the summary to be ambiguous without instruction how to do it. Perhaps I should've contacted Blzut3 privately via email, if this is a concern? |
|
(0019734) WubTheCaptain (reporter) 2018-09-25 01:05 |
Oh, and this ticket is not affected by the bug as long as nobody is showing community support for this ticket. |
 (0019773)Blzut3 (administrator) 2018-09-26 01:01 |
Removed private issues from the support ranking. |
|
(0019777) WubTheCaptain (reporter) 2018-09-26 02:22 |
Can this issue's view status be set public? Please feel free to redact details about issue #3407 in OP, I cannot edit it. Any private notes with proofs of concept in this issue's notes may remain private. |
|
(0019778) WubTheCaptain (reporter) 2018-09-26 02:23 |
Also, another issue related to bug note IDs revealing private issue summaries was fixed. |
|
(0019783) Blzut3 (administrator) 2018-09-27 01:31 |
If you want I suppose there's no harm in making the ticket public. I wasn't going to bother since the issue doesn't really affect anyone. I don't think anything you said in public notes is problematic. |
|
Notes |
|
This issue is already marked as resolved. If you feel that is not the case, please reopen it and explain why. |
|
| Supporters: | No one explicitly supports this issue yet. |
| Opponents: | No one explicitly opposes this issue yet. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2018-09-25 00:56 | WubTheCaptain | New Issue | |
| 2018-09-25 00:56 | WubTheCaptain | Note Added: 0019732 | |
| 2018-09-25 01:00 | WubTheCaptain | Note Added: 0019733 | |
| 2018-09-25 01:05 | WubTheCaptain | Note Added: 0019734 | |
| 2018-09-25 03:57 | Blzut3 | Assigned To | => Blzut3 |
| 2018-09-25 03:57 | Blzut3 | Status | new => assigned |
| 2018-09-25 04:08 | WubTheCaptain | Note Added: 0019753 | |
| 2018-09-25 04:11 | WubTheCaptain | Note Deleted: 0019753 | |
| 2018-09-26 01:01 | Blzut3 | Note Added: 0019773 | |
| 2018-09-26 01:01 | Blzut3 | Status | assigned => resolved |
| 2018-09-26 01:01 | Blzut3 | Resolution | open => fixed |
| 2018-09-26 02:22 | WubTheCaptain | Note Added: 0019777 | |
| 2018-09-26 02:22 | WubTheCaptain | Status | resolved => feedback |
| 2018-09-26 02:22 | WubTheCaptain | Resolution | fixed => reopened |
| 2018-09-26 02:23 | WubTheCaptain | Note Added: 0019778 | |
| 2018-09-26 02:23 | WubTheCaptain | Status | feedback => assigned |
| 2018-09-27 01:29 | Blzut3 | View Status | private => public |
| 2018-09-27 01:31 | Blzut3 | Note Added: 0019783 | |
| 2018-09-27 01:31 | Blzut3 | Status | assigned => resolved |
| 2018-09-27 01:31 | Blzut3 | Resolution | reopened => fixed |
| 2018-10-28 00:52 | Blzut3 | Status | resolved => closed |
|
Issue History |
| Copyright © 2000 - 2024 MantisBT Team |
 |
ZDoom
Doom Wiki
id Software
Doomworld
Odamex
Doomseeker
Internet Doom Explorer
The Sentinel's Playground Servers