Mantis Bug Tracker Access Control Vulnerability in Column Configuration Management

An access control vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions through 2.27.1. This issue allows non-admin users with access to the 'manage_config_columns_page.php' to use the 'Copy From' action to retrieve column configurations from private projects they do not have access to. The vulnerability arises from inadequate access-level checks, enabling project managers to copy settings from restricted projects. However, the reverse operation, 'Copy To', is properly controlled and cannot be used to alter private project configurations.

Impact

Exploitation of this vulnerability allows unauthorized users to access and copy column configuration settings from private projects, potentially leading to unauthorized disclosure of project-specific information.

Reproduction

To reproduce this vulnerability, log in as a user with the 'Manager' role who does not have access to a private project. Navigate to the 'Manage Columns' configuration page and select a private project from the 'Copy Columns From' dropdown. After submitting the request, the column settings from the private project will be copied over, despite the lack of access.

Remediation

Users can upgrade to MantisBT version 2.27.2, where this vulnerability has been fixed.