View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013899 | mantisbt | security | public | 2012-02-15 05:16 | 2014-12-08 00:33 |
Reporter | ElVargo | Assigned To | grangeway | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Product Version | 1.2.8 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0013899: CVE-2011-3755: sensitive information via a direct request to a .php file | ||||
Description | MantisBT 1.2.8 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files. | ||||
Steps To Reproduce | direct request of a .php file, for example: | ||||
Tags | No tags attached. | ||||
It happens only if error reporting of web server is turned on, and happens with all included files |
|
Hi, A fix for this issue was already commited by David Hicks [see issue 0011494 in this tracker]. There is a patch linked to that issue. However, best practice for a production webserver is to disable php error reporting to an end-users browser. I'd link you the patch on github regarding this however github is down atm. |
|
Hi, understood. But, unfortunately, my provider has enabled php error reporting by default. I have not found any solution to disable this flag, yet. |
|
i think you can redefine php error reporting via a .htaccess file ;) |
|
Unfortunately this results in a 500 HTTP status code ... ;) I solved the problem by a 301 redirect for all files, containing "_inc.php". Thanks for your information and suggestions! |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|