View Issue Details

IDProjectCategoryView StatusLast Update
0013899mantisbtsecuritypublic2014-12-08 00:33
ReporterElVargo Assigned Tograngeway  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionduplicate 
Product Version1.2.8 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0013899: CVE-2011-3755: sensitive information via a direct request to a .php file
Description

MantisBT 1.2.8 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files.

Steps To Reproduce

direct request of a .php file, for example:

http://[HOST]/view_all_inc.php

TagsNo tags attached.

Relationships

duplicate of 0011494 closeddhx Don't allow *_inc.php files to be called directly 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

Dentxinho

Dentxinho

2012-02-15 10:58

reporter   ~0031245

It happens only if error reporting of web server is turned on, and happens with all included files

grangeway

grangeway

2012-02-15 19:17

reporter   ~0031247

Hi,

A fix for this issue was already commited by David Hicks [see issue 0011494 in this tracker]. There is a patch linked to that issue.

However, best practice for a production webserver is to disable php error reporting to an end-users browser.

I'd link you the patch on github regarding this however github is down atm.

ElVargo

ElVargo

2012-02-17 12:16

reporter   ~0031254

Hi, understood. But, unfortunately, my provider has enabled php error reporting by default. I have not found any solution to disable this flag, yet.

Lapinkiller

Lapinkiller

2012-02-20 02:37

reporter   ~0031256

i think you can redefine php error reporting via a .htaccess file ;)

ElVargo

ElVargo

2012-02-21 13:48

reporter   ~0031281

Unfortunately this results in a 500 HTTP status code ... ;)

I solved the problem by a 301 redirect for all files, containing "_inc.php".

Thanks for your information and suggestions!

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036313

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch