MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0014538mantisbtsecuritypublic2012-07-31 17:092014-05-31 08:44
ReporterY.P.Y 
Assigned Tograngeway 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.2.11 
Target Version1.3.xFixed in Version1.3.x 
Summary0014538: plugins directory must be secured/fixed.
Descriptionhttp://127.0.0.1/plugins/MantisCoreFormatting/pages/config.php [^]

Fatal error: Call to undefined function auth_reauthenticate() in C:\WWW\index\mantisbt-1.2.11\plugins\MantisCoreFormatting\pages\config.php on line 17


http://127.0.0.1/plugins/MantisCoreFormatting/pages/config_edit.php [^]
Fatal error: Call to undefined function form_security_validate() in C:\WWW\index\mantisbt-1.2.11\plugins\MantisCoreFormatting\pages\config_edit.php on line 17

Also directory listing are allowed.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
User avatar (0032433)
dregad (developer)
2012-08-01 07:22

Ability to perform Directory listing is a setting of your web server, outside of MantisBT's control.

With regards to the errors you report, I am not able to reproduce the problem you report (although I'm on Linux, and no access to Windows platform)
User avatar (0032441)
Y.P.Y (reporter)
2012-08-01 08:58

Has nothing to Directory listing.
this error occured when i accsesed to config_edit.php with URL/Browser.
User avatar (0032464)
atrol (developer)
2012-08-05 16:33
edited on: 2012-08-05 16:35

I am able to reproduce the issue.

I didn't have a deeper look how this can be fixed.
Maybe we have to deny the access to the directory or we have to ensure that the page can't be called by browser (the method we use for files like bug_view_inc.php)
There are probably more files with similar behaviour.

User avatar (0032465)
Y.P.Y (reporter)
2012-08-05 17:18

You all are able to reproduce the issues!
User avatar (0040677)
grangeway (developer)
2014-05-31 04:10

Well, we've added a web.config + .htaccess on the plugins directory, now, which should cover this.

However, as others have said, whether web server acknowledges the existence of either of these files, and whether the plugins are authored correctly, is also down to the end user / plugin authors.

- Related Changesets
MantisBT: master 78cee358
Timestamp: 2014-05-29 09:59:20
Author: Paul Richards
Details ] Diff ]
Fix 0017380: IIS: add web.config to deny access to config/
add - config/Web.config Diff ] File ]
add - core/Web.config Diff ] File ]
add - doc/Web.config Diff ] File ]
add - lang/Web.config Diff ] File ]
add - library/Web.config Diff ] File ]
add - packages/Web.config Diff ] File ]
add - plugins/.htaccess Diff ] File ]
add - plugins/Web.config Diff ] File ]
add - scripts/.htaccess Diff ] File ]
add - scripts/Web.config Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-07-31 17:09 Y.P.Y New Issue
2012-08-01 07:22 dregad Note Added: 0032433
2012-08-01 07:22 dregad Status new => resolved
2012-08-01 07:22 dregad Resolution open => unable to reproduce
2012-08-01 07:22 dregad Assigned To => dregad
2012-08-01 08:58 Y.P.Y Note Added: 0032441
2012-08-05 16:33 atrol Note Added: 0032464
2012-08-05 16:33 atrol Assigned To dregad =>
2012-08-05 16:33 atrol Status resolved => confirmed
2012-08-05 16:34 atrol Resolution unable to reproduce => open
2012-08-05 16:35 atrol Note Edited: 0032464 View Revisions
2012-08-05 17:18 Y.P.Y Note Added: 0032465
2014-05-31 04:08 grangeway Changeset attached => MantisBT master 78cee358
2014-05-31 04:10 grangeway Note Added: 0040677
2014-05-31 04:10 grangeway Status confirmed => resolved
2014-05-31 04:10 grangeway Fixed in Version => 1.3.x
2014-05-31 04:10 grangeway Resolution open => fixed
2014-05-31 04:10 grangeway Assigned To => grangeway
2014-05-31 08:44 atrol Target Version => 1.3.x


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1063 seconds.
memory usage: 3,074 KB
Powered by Mantis Bugtracker