0014538: plugins directory must be secured/fixed. - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0014538	mantisbt	security	public	2012-07-31 17:09	2014-12-08 00:34

Reporter	Y.P.Y	Assigned To	grangeway
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.2.11
Target Version	1.3.0-beta.1	Fixed in Version	1.3.0-beta.1

Summary	0014538: plugins directory must be secured/fixed.
Description	http://127.0.0.1/plugins/MantisCoreFormatting/pages/config.php Fatal error: Call to undefined function auth_reauthenticate() in C:\WWW\index\mantisbt-1.2.11\plugins\MantisCoreFormatting\pages\config.php on line 17 http://127.0.0.1/plugins/MantisCoreFormatting/pages/config_edit.php Fatal error: Call to undefined function form_security_validate() in C:\WWW\index\mantisbt-1.2.11\plugins\MantisCoreFormatting\pages\config_edit.php on line 17 Also directory listing are allowed.
Tags	No tags attached.

dregad 2012-08-01 07:22 developer ~0032433	Ability to perform Directory listing is a setting of your web server, outside of MantisBT's control. With regards to the errors you report, I am not able to reproduce the problem you report (although I'm on Linux, and no access to Windows platform)

Y.P.Y 2012-08-01 08:58 reporter ~0032441	Has nothing to Directory listing. this error occured when i accsesed to config_edit.php with URL/Browser.

atrol 2012-08-05 16:33 developer ~0032464 Last edited: 2012-08-05 16:35	I am able to reproduce the issue. I didn't have a deeper look how this can be fixed. Maybe we have to deny the access to the directory or we have to ensure that the page can't be called by browser (the method we use for files like bug_view_inc.php) There are probably more files with similar behaviour.

Y.P.Y 2012-08-05 17:18 reporter ~0032465	You all are able to reproduce the issues!

grangeway 2014-05-31 04:10 reporter ~0040677	Well, we've added a web.config + .htaccess on the plugins directory, now, which should cover this. However, as others have said, whether web server acknowledges the existence of either of these files, and whether the plugins are authored correctly, is also down to the end user / plugin authors.

MantisBT: master 78cee358 2014-05-29 05:59 Paul Richards Details Diff	Fix 0017380: IIS: add web.config to deny access to config/	Affected Issues 0014538, 0017380
	add - config/Web.config	Diff File
	add - core/Web.config	Diff File
	add - doc/Web.config	Diff File
	add - lang/Web.config	Diff File
	add - library/Web.config	Diff File
	add - packages/Web.config	Diff File
	add - plugins/.htaccess	Diff File
	add - plugins/Web.config	Diff File
	add - scripts/.htaccess	Diff File
	add - scripts/Web.config	Diff File