Improve admin information about CVE-2017-12419

- Add admin check for mysqli.allow_local_infile - Add reminder to remove admin dir at end of Admin checks - Improve post-install tasks section of Admin Guide: add explicit warning about potential consequences of not deleting the admin directory, more descriptive wording. Stopgap measures for issue #23173 Backported from master-2.5 branch 3a7c6f7 Conflicts: admin/check/index.php
mantisbt · Aug 4, 2017 · 10211c9 · 10211c9
1 parent 600d0e0
commit 10211c9
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 7 deletions.
diff --git a/admin/check/check_database_inc.php b/admin/check/check_database_inc.php
@@ -95,6 +95,14 @@
 		'mysql' != $t_database_type,
 		array( false => "'mysql' driver is deprecated as of PHP 5.5.0, please use 'mysqli' instead" )
 	);
+
+	check_print_test_warn_row(
+		'mysqli.allow_local_infile php.ini directive is set to 0',
+		!ini_get_bool( 'mysqli.allow_local_infile' ),
+		array( false => 'mysqli.allow_local_infile should be disabled to prevent remote attackers to access local files '
+			. '(see issue <a href="https://mantisbt.org/bugs/view.php?id=23173">#23173</a>).' )
+	);
+
 }
 
 if( db_is_mssql() ) {

diff --git a/admin/check/index.php b/admin/check/index.php
@@ -191,5 +191,14 @@ function mode_url( $p_all, $p_errors ) {
 <?php } else { ?>
 <p class="notice pass2" id="check-notice-passed">All tests passed.</p>
 <?php } ?>
+
+<p class="notice fail2" id="notice-delete-admin">
+	For security reasons, you should delete (or at least restrict access to) the
+	<em>admin</em> directory.
+	Refer to the <a href="http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon">
+		MantisBT Admin Guide</a>
+	for further details.
+</p>
+
 </body>
 </html>
diff --git a/docbook/Admin_Guide/en-US/Installation.xml b/docbook/Admin_Guide/en-US/Installation.xml
@@ -677,21 +677,35 @@ tar -xf <emphasis>filename.tar</emphasis>
 				<para>Test your configuration
 				</para>
 				<para>Load up <emphasis>admin/check/index.php</emphasis>
-					to validate if everything is setup correctly.
+					to validate whether everything is setup correctly, and
+					take corrective action as needed.
 				</para>
 			</listitem>
 
 			<listitem>
 				<para>Delete the <emphasis>admin</emphasis> folder
 				</para>
-				<para>For security reasons, the scripts within this directory
-					should not be accessible on a live MantisBT site or on any
-					installation that is accessible via the Internet.
-				</para>
-				<para>Once you have confirmed that the install/upgrade
-					was successful, you should delete this directory
+				<para>Once you have confirmed that the install or upgrade
+					process was successful, you should delete this directory
 					<programlisting>rm -r admin</programlisting>
 				</para>
+				<para>For security reasons, the scripts within this directory
+					should not be freely accessible on a live MantisBT site,
+					particularly one which is accessible via the Internet, as
+					they can allow unauthorized people (e.g. hackers) to gain
+					technical knowledge about the system, as well as perform
+					administrative tasks.
+				</para>
+				<warning>
+					<para>Omitting this important step will leave your MantisBT
+						instance exposed to several potentially severe attacks, e.g.
+						<ulink url="http://mantisbt.org/bugs/view.php?id=23173">
+							issue #23173</ulink> (if
+						<ulink url="http://php.net/manual/en/mysqli.configuration.php#ini.mysqli.allow-local-infile">
+							mysqli.allow_local_infile</ulink>
+						is enabled in php.ini).
+					</para>
+				</warning>
 			</listitem>
 		</orderedlist>
 	</section>