View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0020789 | mantisbt | plug-ins | public | 2016-04-08 16:04 | 2019-09-16 14:30 |
Reporter | aavagyan | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | no change required | ||
Product Version | 1.2.19 | ||||
Summary | 0020789: plugin files can be accessed directly | ||||
Description | The 'normal' way to access plugin files is via 'plugin' of 'plugin_file', but it looks like it is possible to access same directly. For example: <mantisbt web root>/plugins/MantisCoreFormatting/pages/config_edit.php This looks like source of issues (potentially security issues too)... Should plugin writers care about this, or mantis core? | ||||
Tags | No tags attached. | ||||
related to | 0020106 | new | .htaccess / Web.config in plugins directory prevents use of plugin assets |
I'm not sure I understand the issue. The assumption is that plugin code is trusted. After all it is PHP code running on the webserver with access to the Mantis database and local file system. |
|
No, this is not what I meant. For example even same /plugins/MantisCoreFormatting/pages/config_edit.php quits with error message. If server is configured properly it will not show it to user, if not - will show - which will leak some data - for example full path of the script, failed function name, etc. For me, as plugin developer, I found a way to solve this. I will check, in each plugin page, if one of the core's constants is set. If not - will exit(). |
|
version 1.3 comes with .htaccess and web.config files in the plugin directory, which should deny access if the websersver is configured to enforce them. so, probably a simpler solution for 1.2.x is to manually add those rules to the server configuration, instead of modifying every php file. |
|
Leaving this in the hands of hundreds of thousands administrators to do in the right way... don't look like safe option. MantisBT plugins, on average, have few pages only. I don't think it is difficult to add something like if( !defined( 'MANTIS_VERSION' ) ) { exit(); } at the beginning of each script. This is not beautiful, I agree, but is safer IMO. At least until there is something better implemented centrally maybe. |
|
@aavagyan as mentioned by cproensa, MantisBT > 1.3 and 2.x are configured so that plugin directories are not directly accessible. Considering that 1.2 is no longer maintained, I think this can be closed now. Let us know if you feel otherwise. |
|