From: Robert M. <rob...@gm...> - 2012-02-16 07:37:36
|
On Thu, Feb 16, 2012 at 9:33 AM, Manilal K M <ma...@ej...> wrote: > Hello all, > > While doing some experiments with the SOAP API, I observed a security issue with the SOAP-API. > > Basically, if you know the application URL, username and project_id then using the SOAP-API, someone with PHP/SOAP knowledge can easily retrieve and modify issue data, add notes or modify project attributes. > > The script login mechanism of mantisbt uses only username to authenticate via SOAP. The URL is always public and we can easily manipulate the project_id since it always starts with 1. > > I know that these are trivial issues and developers may be already working on it. I posted here since I couldn't find anything useful from the Google search results. > > regards The API is supposed to authenticate each request based on username _and password_ . Have you found a situation where this is not done ? Robert > > -- > Manilal K M > eJyothi Services > http://www.ejyothi.com > > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev -- Sent from my (old) computer |