View Issue Details

IDProjectCategoryView StatusLast Update
0020789mantisbtplug-inspublic2019-09-16 14:30
Reporteraavagyan Assigned Todregad  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
Product Version1.2.19 
Summary0020789: plugin files can be accessed directly
Description

The 'normal' way to access plugin files is via 'plugin' of 'plugin_file', but it looks like it is possible to access same directly. For example:

<mantisbt web root>/plugins/MantisCoreFormatting/pages/config_edit.php

This looks like source of issues (potentially security issues too)... Should plugin writers care about this, or mantis core?

TagsNo tags attached.

Relationships

related to 0020106 new .htaccess / Web.config in plugins directory prevents use of plugin assets 

Activities

vboctor

vboctor

2016-04-08 21:42

manager   ~0052925

I'm not sure I understand the issue. The assumption is that plugin code is trusted. After all it is PHP code running on the webserver with access to the Mantis database and local file system.

aavagyan

aavagyan

2016-04-09 01:04

reporter   ~0052926

No, this is not what I meant. For example even same /plugins/MantisCoreFormatting/pages/config_edit.php quits with error message. If server is configured properly it will not show it to user, if not - will show - which will leak some data - for example full path of the script, failed function name, etc.

For me, as plugin developer, I found a way to solve this. I will check, in each plugin page, if one of the core's constants is set. If not - will exit().

cproensa

cproensa

2016-04-09 07:26

developer   ~0052927

version 1.3 comes with .htaccess and web.config files in the plugin directory, which should deny access if the websersver is configured to enforce them.

so, probably a simpler solution for 1.2.x is to manually add those rules to the server configuration, instead of modifying every php file.

aavagyan

aavagyan

2016-04-11 04:10

reporter   ~0052932

Leaving this in the hands of hundreds of thousands administrators to do in the right way... don't look like safe option. MantisBT plugins, on average, have few pages only. I don't think it is difficult to add something like

if( !defined( 'MANTIS_VERSION' ) ) { exit(); }

at the beginning of each script. This is not beautiful, I agree, but is safer IMO. At least until there is something better implemented centrally maybe.

dregad

dregad

2019-09-06 03:37

developer   ~0062740

@aavagyan as mentioned by cproensa, MantisBT > 1.3 and 2.x are configured so that plugin directories are not directly accessible. Considering that 1.2 is no longer maintained, I think this can be closed now. Let us know if you feel otherwise.

Issue History

Date Modified Username Field Change
2016-04-08 16:04 aavagyan New Issue
2016-04-08 21:42 vboctor Note Added: 0052925
2016-04-09 01:04 aavagyan Note Added: 0052926
2016-04-09 07:26 cproensa Note Added: 0052927
2016-04-11 04:10 aavagyan Note Added: 0052932
2019-09-06 03:37 dregad Assigned To => dregad
2019-09-06 03:37 dregad Status new => resolved
2019-09-06 03:37 dregad Resolution open => no change required
2019-09-06 03:37 dregad Note Added: 0062740
2019-09-06 03:37 dregad Relationship added related to 0020106
2019-09-16 14:30 atrol Status resolved => closed