View Issue Details

IDProjectCategoryView StatusLast Update
0023185mantisbtsecuritypublic2017-09-03 18:41
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Target Version2.5.2Fixed in Version2.5.2 
Summary0023185: Improve doc and notifications when admin dir is present (CVE-2017-12419)

This is just to track the stopgap measures taken to mitigate the risk of an attack as described in 0023173

TagsNo tags attached.


parent of 0023186 closeddregad Improve doc and notifications when admin dir is present (CVE-2017-12419) 
child of 0023173 confirmed CVE-2017-12419: Arbitrary File Read inside install.php script 


There are no notes attached to this issue.

Related Changesets

MantisBT: master-2.5 d6d7dc2d

2017-08-03 12:54


Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173
Affected Issues
0023173, 0023179, 0023185
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-2.5 3a7c6f75

2017-08-03 15:39


Details Diff
Improve admin information about CVE-2017-12419

- Add admin check for mysqli.allow_local_infile
- Add reminder to remove admin dir at end of Admin checks
- Improve post-install tasks section of Admin Guide: add explicit
warning about potential consequences of not deleting the admin
directory, more descriptive wording.

Stopgap measures for issue 0023173
Affected Issues
0023173, 0023185
mod - admin/check/check_database_inc.php Diff File
mod - admin/check/index.php Diff File
mod - docbook/Admin_Guide/en-US/Installation.xml Diff File