Mantis Bug Tracker Authorization Bypass Vulnerability in Global Profile Creation

An authorization bypass vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.28.0 and 2.28.1. This vulnerability allows low-privileged authenticated users with the 'add_profile_threshold' permission to create global profiles, bypassing the requirement for 'manage_global_profile_threshold'. The issue arises in the 'account_prof_update.php' file, where the user_id parameter can be manipulated in a profile creation request. The vulnerability has been patched in version 2.28.2.

Impact

Exploitation of this vulnerability leads to unauthorized creation of global profiles by users who do not have the necessary privileges, allowing them to manage global profile settings and potentially misuse this capability.

Reproduction

To reproduce this vulnerability, log in as a user with the 'add_profile_threshold' permission, such as a reporter. Open the 'account_prof_menu_page.php' and copy the hidden 'account_prof_update_token'. Then, submit a request to 'account_prof_update.php' with the user_id parameter set to 'ALL_USERS', which is interpreted as '0'. This request will be processed without the required authorization check, allowing the creation of a global profile.

Remediation

Users can update to MantisBT version 2.28.2 to address this vulnerability.