View Issue Details

IDProjectCategoryView StatusLast Update
0023186mantisbtsecuritypublic2017-09-03 18:41
ReporterdregadAssigned Todregad 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version 
Target Version1.3.12Fixed in Version1.3.12 
Summary0023186: Improve doc and notifications when admin dir is present (CVE-2017-12419)
Description

This is just to track the stopgap measures taken to mitigate the risk of an attack as described in 0023173

Clone of 0023185 to track the fix in 1.3.x roadmap/changelog

TagsNo tags attached.

Relationships

child of 0023185 closeddregad Improve doc and notifications when admin dir is present (CVE-2017-12419) 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.3.x 21a15b88

2017-08-03 16:54:04

dregad

Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173

Backported from master-2.5 branch d6d7dc2dc7473637c8ac17a78c0374f16981f409
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-1.3.x 10211c90

2017-08-04 17:45:55

dregad

Details Diff
Improve admin information about CVE-2017-12419

- Add admin check for mysqli.allow_local_infile
- Add reminder to remove admin dir at end of Admin checks
- Improve post-install tasks section of Admin Guide: add explicit
warning about potential consequences of not deleting the admin
directory, more descriptive wording.

Stopgap measures for issue 0023173

Backported from master-2.5 branch 3a7c6f75bf3c4bc0856ebffe388df9e46ac10e5d

Conflicts:
admin/check/index.php
mod - admin/check/check_database_inc.php Diff File
mod - admin/check/index.php Diff File
mod - docbook/Admin_Guide/en-US/Installation.xml Diff File

Issue History

Date Modified Username Field Change
2017-08-04 19:26 dregad New Issue
2017-08-04 19:26 dregad Status new => assigned
2017-08-04 19:26 dregad Assigned To => dregad
2017-08-04 19:26 dregad Issue generated from: 0023185
2017-08-04 19:26 dregad Relationship added child of 0023185
2017-08-04 19:27 dregad Changeset attached => MantisBT master-1.3.x 21a15b88
2017-08-04 19:27 dregad Changeset attached => MantisBT master-1.3.x 10211c90
2017-08-04 19:28 dregad Status assigned => resolved
2017-08-04 19:28 dregad Resolution open => fixed
2017-08-04 19:28 dregad Fixed in Version => 1.3.12
2017-08-04 19:31 dregad Relationship replaced related to 0023185
2017-08-04 19:32 dregad Relationship replaced child of 0023185
2017-09-03 18:41 vboctor Status resolved => closed