On Thu, Feb 16, 2012 at 9:54 AM, Manilal K M <manilal@...> wrote:
> ----- Original Message -----
>> From: "Robert Munteanu" <robert.munteanu@...>
>> To: manilal@..., "developer discussions" <mantisbt-dev@...>
>> Sent: Thursday, February 16, 2012 1:07:26 PM
>> Subject: Re: [mantisbt-dev] Security in Mantis SOAP-API
>> On Thu, Feb 16, 2012 at 9:33 AM, Manilal K M <manilal@...>
>> > Hello all,
>> > While doing some experiments with the SOAP API, I observed a
>> > security issue with the SOAP-API.
>> > Basically, if you know the application URL, username and project_id
>> > then using the SOAP-API, someone with PHP/SOAP knowledge can
>> > easily retrieve and modify issue data, add notes or modify project
>> > attributes.
>> > The script login mechanism of mantisbt uses only username to
>> > authenticate via SOAP. The URL is always public and we can easily
>> > manipulate the project_id since it always starts with 1.
>> > I know that these are trivial issues and developers may be already
>> > working on it. I posted here since I couldn't find anything useful
>> > from the Google search results.
>> > regards
>> The API is supposed to authenticate each request based on username
>> _and password_ . Have you found a situation where this is not done ?
> Yes. Here are some of the WS calls which I'm doing it from my client application:
> $issue_id = $this->_mantis->mc_issue_add($this->bt_user, null, $issuedata);
> $t_issues = $this->_mantis->mc_project_get_issues($this->bt_user, NULL, $this->bt_project, $page_number, $per_page);
> $t_categories = $this->_mantis->mc_project_get_categories($this->bt_user, NULL, $this->bt_project);
> $issue = $this->_mantis->mc_issue_get( $this->bt_user,NULL, $issue_id );
> $note_id = $this->_mantis->mc_issue_note_add( $this->bt_user, NULL, $issue_id, $note );
> This means that I can simply pass NULL for password parameter in all the soap api. Apparently in the function auth_attempt_script_login(), password is a default argument due to various legitimate reasons.
> So, I don't think it is practical to make the password mandatory since it will break the anonymous login, RSS feeds and SOAP-API.
> May be we can enhance the security by having an application wide token which will be verified on each request. There may be better solutions available, but this is the most simple one which immediately came into my mind.
I can't verify the results right now but this seems pretty serious. We
should never accept null password from the SOAP API, and I'll make
sure that we don't.
Thanks for reporting this.
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> mantisbt-dev mailing list
Sent from my (old) computer