0024089: POST request to login_password_page.php return 405 when admin folder is deleted or access restricted - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0024089	mantisbt	authentication	public	2018-03-08 11:24	2018-03-31 19:58

Reporter	omerfirmak	Assigned To	atrol
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.12.0
Target Version	2.13.0	Fixed in Version	2.13.0

Summary	0024089: POST request to login_password_page.php return 405 when admin folder is deleted or access restricted
Description	Hi, So when I delete or chmod 000 admin folder, POST request to login_password_page.php returns 405.
Tags	No tags attached.
Attached Files

dregad 2018-03-08 11:37 developer ~0059120	Can you clarify what POST request you are talking about ? Please provide detailed steps to reproduce the error.

omerfirmak 2018-03-08 12:14 reporter ~0059121	Sorry for that, attached file should be enough i guess. Error only occurs when I "chmod 000" the admin folder. If I delete or rename it, looks like it works fine. mantis405.json (4,176 bytes) { "log": { "version": "1.1", "creator": { "name": "Firefox", "version": "58.0.2" }, "browser": { "name": "Firefox", "version": "58.0.2" }, "pages": [ { "startedDateTime": "2018-03-08T20:07:34.841+03:00", "id": "page_1", "title": "405 Not Allowed", "pageTimings": { "onContentLoad": -1, "onLoad": -1 } } ], "entries": [ { "pageref": "page_1", "startedDateTime": "2018-03-08T20:07:34.841+03:00", "time": null, "request": { "bodySize": 32, "method": "POST", "url": "http://ankasys.synology.me/mantisbt/login_password_page.php", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Host", "value": "ankasys.synology.me" }, { "name": "User-Agent", "value": "Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8" }, { "name": "Accept-Language", "value": "en-US,en;q=0.5" }, { "name": "Accept-Encoding", "value": "gzip, deflate" }, { "name": "Referer", "value": "http://ankasys.synology.me/mantisbt/login_page.php" }, { "name": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "name": "Content-Length", "value": "32" }, { "name": "Cookie", "value": "MANTIS_collapse_settings=\|sidebar:1; stay_login=0; MANTIS_secure_session=0; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=g3j5gh4is7oei4dfoids9mtqj2" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" } ], "cookies": [], "queryString": [], "postData": { "mimeType": "application/x-www-form-urlencoded", "params": [], "text": "return=index.php&username=ankaoi" }, "headersSize": 673 }, "response": { "status": 405, "statusText": "Not Allowed", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Server", "value": "nginx" }, { "name": "Date", "value": "Thu, 08 Mar 2018 17:07:34 GMT" }, { "name": "Content-Type", "value": "text/html" }, { "name": "Content-Length", "value": "166" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Keep-Alive", "value": "timeout=20" } ], "cookies": [], "content": { "mimeType": "text/html", "size": 166, "text": "<html>\r\n<head><title>405 Not Allowed</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>405 Not Allowed</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n" }, "redirectURL": "", "headersSize": 174, "bodySize": 340 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 86, "receive": 0 }, "serverIPAddress": "176.43.7.89", "connection": "80" } ] } } mantis405.json (4,176 bytes)

atrol 2018-03-08 13:35 developer ~0059124 Last edited: 2018-03-08 13:36	I am wondering if we can remove all that checks $t_upgrade_required = false; if( config_get_global( 'admin_checks' ) == ON && file_exists( dirname( __FILE__ ) .'/admin' ) ) { # since admin directory and db_upgrade lists are available check for missing db upgrades # if db version is 0, we do not have a valid database. $t_db_version = config_get( 'database_version', 0 ); if( $t_db_version == 0 ) { $t_warnings[] = lang_get( 'error_database_no_schema_version' ); } # Check for db upgrade for versions > 1.0.0 using new installer and schema require_once( 'admin' . DIRECTORY_SEPARATOR . 'schema.php' ); $t_upgrades_reqd = count( $g_upgrade ) - 1; if( ( 0 < $t_db_version ) && ( $t_db_version != $t_upgrades_reqd ) ) { if( $t_db_version < $t_upgrades_reqd ) { $t_upgrade_required = true; } } } from login_password_page.php as we check already in login_page.php

atrol 2018-03-08 14:32 developer ~0059125	I wondered why it worked on page login_page.php but not login_password_page.php. It's because we check for `/admin/.` in login_page.php but `/admin` in login_password_page.php The checks can't be removed at the moment, as it's needed to populate hidden field `install` so that login.php executes admin/install.php if there is an outdated database schema.

atrol 2018-03-08 14:33 developer ~0059126	PR https://github.com/mantisbt/mantisbt/pull/1314