From: Damien R. <dam...@me...> - 2012-06-01 07:47:13
|
Hi I noticed today that a user named 'VishalThakur' was able to edit someone else's note on our tracker. http://www.mantisbt.org/bugs/view.php?id=14330&history=1#history http://www.mantisbt.org/bugs/bug_revision_view_page.php?bugnote_id=31929#r2515 I'm not sure what the setting for $g_update_bugnote_threshold is on mantisbt.org, but since by default the access level is Developer and I don't think this guy has that role (or even anything above Reporter for that matter), that probably means that there is a possibility (soap?) for reporters to bypass security. Just thought I'd bring this to your attention. Damien |