From 692a9b9d2f87e6fd368f404be61aa8dc55cdfc2b Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sun, 28 Dec 2014 12:29:51 +0100
Subject: [PATCH 3/3] Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability was reported by High-Tech Bridge Security Research
Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243).

Fixes #17939
---
 admin/install.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/admin/install.php b/admin/install.php
index 577a32d..77f6163 100644
--- a/admin/install.php
+++ b/admin/install.php
@@ -751,7 +751,12 @@ if( 3 == $t_install_state ) {
 # database installed, get any additional information
 if( 4 == $t_install_state ) {
 
-	/** @todo to be written */
+/*
+	# 20141227 dregad Disabling this step for now, because it does not seem to
+	# be doing anything useful and can be used to retrieve system information
+	# when the admin directory has not been deleted (see #17939).
+
+	# @todo to be written
 	// must post data gathered to preserve it
 	?>
 		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
@@ -766,6 +771,7 @@ if( 4 == $t_install_state ) {
 <?php
 	# must post <input name="install" type="hidden" value="5"></input>
 	# rather than the following line
+*/
 	$t_install_state++;
 }  # end install_state == 4
 
-- 
1.9.1