View Issue Details

IDProjectCategoryView StatusLast Update
0014538mantisbtsecuritypublic2014-12-08 00:34
ReporterY.P.Y 
Assigned Tograngeway 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.11 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0014538: plugins directory must be secured/fixed.
Description

http://127.0.0.1/plugins/MantisCoreFormatting/pages/config.php

Fatal error: Call to undefined function auth_reauthenticate() in C:\WWW\index\mantisbt-1.2.11\plugins\MantisCoreFormatting\pages\config.php on line 17

http://127.0.0.1/plugins/MantisCoreFormatting/pages/config_edit.php
Fatal error: Call to undefined function form_security_validate() in C:\WWW\index\mantisbt-1.2.11\plugins\MantisCoreFormatting\pages\config_edit.php on line 17

Also directory listing are allowed.

TagsNo tags attached.

Relationships

Activities

dregad

dregad

2012-08-01 07:22

developer   ~0032433

Ability to perform Directory listing is a setting of your web server, outside of MantisBTs control.

With regards to the errors you report, I am not able to reproduce the problem you report (although Im on Linux, and no access to Windows platform)

Y.P.Y

Y.P.Y

2012-08-01 08:58

reporter   ~0032441

Has nothing to Directory listing.
this error occured when i accsesed to config_edit.php with URL/Browser.

atrol

atrol

2012-08-05 16:33

developer   ~0032464

Last edited: 2012-08-05 16:35

View 2 revisions

I am able to reproduce the issue.

I didnt have a deeper look how this can be fixed.
Maybe we have to deny the access to the directory or we have to ensure that the page cant be called by browser (the method we use for files like bug_view_inc.php)
There are probably more files with similar behaviour.

Y.P.Y

Y.P.Y

2012-08-05 17:18

reporter   ~0032465

You all are able to reproduce the issues!

grangeway

grangeway

2014-05-31 04:10

reporter   ~0040677

Well, weve added a web.config + .htaccess on the plugins directory, now, which should cover this.

However, as others have said, whether web server acknowledges the existence of either of these files, and whether the plugins are authored correctly, is also down to the end user / plugin authors.

Related Changesets

MantisBT: master 78cee358

2014-05-29 09:59:20

Paul Richards

Details Diff
Fix 0017380: IIS: add web.config to deny access to config/
add - config/Web.config Diff File
add - core/Web.config Diff File
add - doc/Web.config Diff File
add - lang/Web.config Diff File
add - library/Web.config Diff File
add - packages/Web.config Diff File
add - plugins/.htaccess Diff File
add - plugins/Web.config Diff File
add - scripts/.htaccess Diff File
add - scripts/Web.config Diff File

Issue History

Date Modified Username Field Change
2012-07-31 17:09 Y.P.Y New Issue
2012-08-01 07:22 dregad Note Added: 0032433
2012-08-01 07:22 dregad Status new => resolved
2012-08-01 07:22 dregad Resolution open => unable to reproduce
2012-08-01 07:22 dregad Assigned To => dregad
2012-08-01 08:58 Y.P.Y Note Added: 0032441
2012-08-05 16:33 atrol Note Added: 0032464
2012-08-05 16:33 atrol Assigned To dregad =>
2012-08-05 16:33 atrol Status resolved => confirmed
2012-08-05 16:34 atrol Resolution unable to reproduce => open
2012-08-05 16:35 atrol Note Edited: 0032464 View Revisions
2012-08-05 17:18 Y.P.Y Note Added: 0032465
2014-05-31 04:08 grangeway Changeset attached => MantisBT master 78cee358
2014-05-31 04:10 grangeway Note Added: 0040677
2014-05-31 04:10 grangeway Status confirmed => resolved
2014-05-31 04:10 grangeway Fixed in Version => 1.3.0-beta.1
2014-05-31 04:10 grangeway Resolution open => fixed
2014-05-31 04:10 grangeway Assigned To => grangeway
2014-05-31 08:44 atrol Target Version => 1.3.0-beta.1
2014-12-08 00:34 vboctor Status resolved => closed