View Issue Details

IDProjectCategoryView StatusLast Update
0023179mantisbtsecuritypublic2017-08-11 10:20
ReporterdregadAssigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version2.5.2Fixed in Version2.5.2 
Summary0023179: Login page no longer warns about 'admin' directory being present
Description

Commit MantisBT master 9da643a6 modified the admin checks to remove the logic checking for pre 1.0 upgrade steps.

However, it also (probably unintentionally) removed the check for admin directory presence, so administrators are no longer reminded that they should delete this directory, potentially leaving them exposed to security breaches.

TagsNo tags attached.

Relationships

related to 0023181 resolveddregad Checks on login page are never executed if "admin" dir does not exist 
related to 0023173 confirmed CVE-2017-12419: Arbitrary File Read inside install.php script 
related to 0023211 assigneddregad Warning regarding admin-folder, even if access is restricted 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-2.5 d6d7dc2d

2017-08-03 16:54:04

dregad

Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-1.3.x 21a15b88

2017-08-03 16:54:04

dregad

Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173

Backported from master-2.5 branch d6d7dc2dc7473637c8ac17a78c0374f16981f409
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

Issue History

Date Modified Username Field Change
2017-08-03 06:25 dregad New Issue
2017-08-03 17:47 dregad Relationship added related to 0023181
2017-08-04 18:17 dregad Changeset attached => MantisBT master-2.5 d6d7dc2d
2017-08-04 18:17 dregad Assigned To => dregad
2017-08-04 18:17 dregad Status new => resolved
2017-08-04 18:17 dregad Resolution open => fixed
2017-08-04 18:17 dregad Fixed in Version => 2.5.2
2017-08-04 18:17 dregad Changeset attached => MantisBT master-1.3.x 21a15b88
2017-08-04 19:00 dregad Relationship added related to 0023173
2017-08-05 15:07 atrol Target Version => 2.5.2
2017-08-11 10:20 dregad Relationship added related to 0023211