View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0025492||mantisbt||security||public||2019-02-19 15:19||2022-05-16 08:51|
|Target Version||2.26.0||Fixed in Version||2.26.0|
|Summary||0025492: Printing (print_all_bug_page) is a perf/security risk|
Live profiling of our server showed that 20,182 queries may be executed by the trivially achieved operation of printing out from "view all issues" when there's no filter. This was an intensive 40 second web request.
There needs to be some kind of control of this. I'd suggest implementing a maximum printable issues feature, that is controlled by access level. If set to zero for an access level then there would be no print button at all. The default config would set it 0 for guests to stop spiders hitting it.
|Tags||No tags attached.|
This is related to 0004798.
I second this is an issue. This alllows for a simple DDOS attack on Mantis instances that have a big number of bugs.
I agree that this is a risk, and in fact this very instance of MantisBT has been hit by DOS attacks leveraging print_all_bug_page_word.php sevaral times in the past, which sometimes ended up killing the database server.
Please see 0022224 and the related PR which I just rebased and tested; the approach is slightly different from what @ChrisG suggested in this issue's description, i.e. implement a simple threshold restricting access to the export and print functions instead of defining a maximum number of printable issues, but I believe this should be sufficient to do the job.
@ChrisG, @c_schmitz If you agree, then this issue will be closed when PR https://github.com/mantisbt/mantisbt/pull/1810 gets merged (nothing for you to do). If on the other hand you feel that a solution with a maximum number of issues is needed, then please say so and I'll leave it open (but no promises as for when it would be implemented).
Thanks. The simple approach works for me, I don't see a real need for the granularity I mentioned. The typical tracker user doesn't need to export and print anything. This can be closed as far as I'm concerned.
That works for me, too. Thank you!
Great, thanks both for the feedback.
And for the record, I'm re-qualifying this from printing feature to security issue, given the confirmed potential for DOS attacks.
MantisBT: master 20cd415e
|Restrict access to Export and Print Reports
Adds 2 new config options to control access restrictions to these View
Issues page functionalities:
- CSV/Excel Export ($g_export_issues_threshold)
- Print Reports ($g_print_reports_threshold)
The default value for print_reports_threshold is UPDATER, to reduce the
risk of denial of service attacks overloading the server via multiple
concurrent executions of print_all_bug_page_word.php. This changes from
earlier behavior, where access to this function was not restricted.
Fixes 0022224, 0025492,
|mod - config_defaults_inc.php||Diff File|
|mod - css/default.css||Diff File|
|mod - csv_export.php||Diff File|
|mod - docbook/Admin_Guide/en-US/config/misc.xml||Diff File|
|mod - excel_xml_export.php||Diff File|
|mod - lang/strings_english.txt||Diff File|
|mod - manage_config_work_threshold_page.php||Diff File|
|mod - manage_config_work_threshold_set.php||Diff File|
|mod - print_all_bug_page.php||Diff File|
|mod - print_all_bug_page_word.php||Diff File|
|mod - view_all_inc.php||Diff File|