Mantis Bug Tracker Authorization Bypass Vulnerability in Private Issue Monitoring

An authorization bypass vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior. The issue arises in the private issue monitoring feature, where a user with project-level access can add themselves as a monitor for a private issue they do not have permission to view. This is achieved by sending a crafted POST request to 'bug_monitor_add.php', using a valid monitor add token from an accessible issue and replacing the 'bug_id' with that of the private issue. Although the application displays an 'Access Denied' error, it processes the request and establishes a monitoring relationship for the private issue. While direct access to the issue remains restricted, the user receives email notifications about updates, inadvertently disclosing the private issue's metadata and content.

Impact

Exploitation of this vulnerability allows unauthorized users to monitor private issues, leading to unauthorized disclosure of private issue metadata and content through email notifications.

Reproduction

To reproduce this vulnerability, log in with a user account that has project-level access but lacks permission to view a private issue. First, confirm the access denial for the private issue. Then, access a public issue to extract a valid 'bug_monitor_add_token'. Use this token to send a POST request to 'bug_monitor_add.php', replacing the 'bug_id' with that of the private issue. The request will be accepted, and the monitoring relationship will be established, despite the 'Access Denied' error. Finally, verify the addition by checking the bug monitor table for the private issue.

Remediation

Users can update to MantisBT version 2.28.2, where this vulnerability has been fixed.