View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0013990mantisbtsecuritypublic2012-03-02 05:492018-09-04 02:48
Reporterolegk Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionduplicate 
Product Version1.2.8 
Summary0013990: Vulnerability in verify.php in case of wrong php configuration
Description

Sometimes administrators suppress reporting errors with php directive error_reporting 0 .
Quite often it's done in .htaccess with line "php_value error_reporting 0"

But this directive disables trigger_error () function, which is used in verify.php

<code>
if ( $f_confirm_hash != $t_calculated_confirm_hash ) {
trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}
</code>

So it's possible to get logged in with url like this :

http://domain.name/verify.php?id=NNN&confirm_hash=MMM

where NNN - ID of any active user
MMM - any string

I believe this part of code should be changed.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
duplicate of 0010966 closeddregad No Errors shown at all if error_reporting=0 configured at server 

Activities

grangeway

grangeway

2012-03-03 08:27

reporter   ~0031369

This is actually 'fixed' in our newer branches using exceptions, but yea - I think I'll rework the code not to call auth_script_login as I'm not even sure I like the existence of this particular function ;/
dhx

dhx

2012-03-06 07:37

reporter   ~0031387

We should probably check for invalid error handler configuration and prevent MantisBT from operating when fatal errors are not fatal.
dregad

dregad

2014-11-15 08:31

developer   ~0041856

This security issue has been resolved by forcing capture of EUSER* errors regardless of ini / .htaccess settings (see 0010966)