View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0036882mantisbtadministrationpublic2026-02-11 11:542026-03-11 17:55
Reporterraspopov Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Product Version2.28.0 
Summary0036882: Recommendations for safe installation paths for MantisBT are not possible
Description

MantisBT fails to follow its own path security guidelines ("Paths") in /admin/check/index.php.

If you set the $g_core_path, $g_class_path, $g_library_path, and $g_language_path variables to their own unique paths and set the MANTIS_CONFIG_FOLDER environment variable to the path to the config_inc.php file, MantisBT will return a web server error: "500 Internal server error", and the PHP logs will show multiple errors.

It appears that the MantisBT codebase has been modified for some time without taking this recommendation into account.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
duplicate of 0021584 confirmed core_path directory can't be moved outside the web root 

Activities

raspopov

raspopov

2026-02-11 12:02

reporter   ~0070784

List of problematic files:

/core.php:69:

require_once( __DIR__ . '/core/constant_inc.php' );

The "/core" folder is located in a different location. Probably can be replaced with: require_api( 'constant_inc.php' ); And will have to move the file: "/core/constant_inc.php" -> "/constant_inc.php". I don't see any other way out, because the $g_core_path variable can't be used in this place; it's loaded in the same file, but lower.

/core/email_api.php:79:

require_once( __DIR__ . '/classes/EmailMessage.class.php' );
require_once( __DIR__ . '/classes/EmailSender.class.php' );

/core/email_api.php:1580:

require_once __DIR__ . '/classes/EmailSenderPhpMailer.class.php';

/classes/EmailSender.class.php:18:

require_once( __DIR__ . '/EmailMessage.class.php' );

/classes/EmailSenderPhpMailer.class.php:23:

require_once( __DIR__ . '/EmailSender.class.php' );

The "/classes" folder is no longer available. These lines can simply be removed, since the class autoloader is used anyway.

/core/logging_api.php:325:

$t_root_path = dirname( __DIR__ ) . DIRECTORY_SEPARATOR;
...
$t_root_path . 'plugin.php'

The "/core" folder is located in a different root folder. We probably need to use the $g_core_path variable here.

/core/commands/IssueViewPageCommand.php:36:

And 12 files next to it. The "/core" folder is not located next to "/api".

$t_api_path = dirname( __DIR__, 2 ) . '/api/soap/';

Replace with:

global $g_absolute_path;
$t_soap_dir = $g_absolute_path . '/api/soap/';

/admin/check/check_paths_inc.php:73:

MantisBT thinks that the "/mantisbt-config" folder is inside the "/mantisbt" folder.

$t_new_path['real_path'] = realpath( $t_new_path['config_value'] );

Needs to be replaced with:

$t_new_path['real_path'] = realpath( $t_new_path['config_value'] ) . DIRECTORY_SEPARATOR;
atrol

atrol

2026-02-11 15:28

developer   ~0070785

Please add any findings to 0021584
raspopov

raspopov

2026-02-11 22:34

reporter   ~0070787

@atrol Thanks for pointing out the issue about this problem. I actually searched for it using the keyword "admin/check/index.php,". But that report listed the old URL "/admin/check.php."