[mantisbt-dev] Security in Mantis SOAP-API

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello all,

While doing some experiments with the SOAP API, I observed a security issue with the SOAP-API.

Basically, if you know the application URL, username and project_id then using the SOAP-API, someone with PHP/SOAP knowledge can easily retrieve and modify issue data, add notes or modify project attributes.

The script login mechanism of mantisbt uses only username to authenticate via SOAP. The URL is always public and we can easily manipulate the project_id since it always starts with 1. 

I know that these are trivial issues and developers may be already working on it. I posted here since I couldn't find anything useful from the Google search results.

regards

-- 
Manilal K M
eJyothi Services
http://www.ejyothi.com