View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0011415mantisbtsecuritypublic2010-01-20 00:592010-04-23 14:30
Reporterurkle Assigned Todhx  
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
OSCentOSOS Version5.4 
Product Version1.1.8 
Target Version1.2.1Fixed in Version1.2.1 
Summary0011415: checking for "is_Readable" does not correclty validate that the admin folder is inaccessible
Description

in login_page.php there is a check to see if the admin folder

  1. is a directory
  2. is readable

However this logic is broken as a folder can NOT be readable, yet still be accessed via the web.

Steps To Reproduce

1) ensure the login page states "the admin directory should be removed"
2) chmod -r admin
3) check login page (the warning will no longer display)
4) browser to http://mantisinstallation/admin/
5) Notice it comes up and is usable.
6) chmod o-x admin (assuming admin is NOT owned by a user and group that apache is running as.)
7) try to access http://mantisinstallation/admin/
8) notice how access is forbidden

Additional Information

the CORRECT check should be is_executable NOT is_readable.

For a folder readable is to determine who can list contents, and execute is who can traverse (go into) the folder. One can have no read access on a folder and STILL be able to access the contents if they know the filenames.

Tagsadmincheck, security
Attached Files
0001-change-check-to-is_executable-instead-of-is_readable.patch (928 bytes)    
From 85471ff02d9f38ca0ac94782736a0786ebf30c17 Mon Sep 17 00:00:00 2001
From: Edward Rudd <urkle@outoforder.cc>
Date: Wed, 20 Jan 2010 00:40:02 -0500
Subject: [PATCH] change check to is_executable instead of is_readable

---
 login_page.php |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/login_page.php b/login_page.php
index e004229..ba682f0 100644
--- a/login_page.php
+++ b/login_page.php
@@ -157,7 +157,7 @@
 
 	# Check if the admin directory is available and is readable.
 	$t_admin_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'admin' . DIRECTORY_SEPARATOR;
-	if ( is_dir( $t_admin_dir ) && is_readable( $t_admin_dir ) ) {
+	if ( is_dir( $t_admin_dir ) && is_executable( $t_admin_dir ) ) {
 		echo '<div class="warning" align="center">', "\n";
 		echo '<p><font color="red"><strong>WARNING:</strong> Admin directory should be removed.</font></p>', "\n";
 		echo '</div>', "\n";
-- 
1.6.5.2
0001-change-check-to-is_executable-instead-of-is_readable.patch (928 bytes)   

Activities

dhx

dhx

2010-03-31 04:47

reporter   ~0024967

Thanks for the patch and apologies for not committing it earlier... I didn't see this issue report until now.

It's fixed ready for the next release.

Related Changesets

MantisBT: master-1.2.x 482a493f

2010-01-20 00:40

urkle

Committer: dhx


Details Diff		 Fix 0011415: Check executable bit on admin/ folder, not readable bit

login_page has a check that warns if the admin/ folder is still in
place. However this check uses is_readable() instead of is_executable().
In the case of folders, the read bit determines who can list the
directory. The execute bit determines who can traverse and access files
within the directory.

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>		 Affected Issues
0011415
mod - login_page.php Diff File

MantisBT: master 4eb5d9ae

2010-01-20 00:40

urkle

Committer: dhx


Details Diff		 Fix 0011415: Check executable bit on admin/ folder, not readable bit

login_page has a check that warns if the admin/ folder is still in
place. However this check uses is_readable() instead of is_executable().
In the case of folders, the read bit determines who can list the
directory. The execute bit determines who can traverse and access files
within the directory.

Signed-off-by: David Hicks <hickseydr@optusnet.com.au>		 Affected Issues
0011415
mod - login_page.php Diff File