From 10211c90d8378a4e9336a762ec37d34c94e0b33b Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Fri, 4 Aug 2017 23:45:55 +0200 Subject: [PATCH] Improve admin information about CVE-2017-12419 - Add admin check for mysqli.allow_local_infile - Add reminder to remove admin dir at end of Admin checks - Improve post-install tasks section of Admin Guide: add explicit warning about potential consequences of not deleting the admin directory, more descriptive wording. Stopgap measures for issue #23173 Backported from master-2.5 branch 3a7c6f75bf3c4bc0856ebffe388df9e46ac10e5d Conflicts: admin/check/index.php --- admin/check/check_database_inc.php | 8 +++++++ admin/check/index.php | 9 +++++++ docbook/Admin_Guide/en-US/Installation.xml | 28 ++++++++++++++++------ 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/admin/check/check_database_inc.php b/admin/check/check_database_inc.php index a646d8310d..53faf5558c 100644 --- a/admin/check/check_database_inc.php +++ b/admin/check/check_database_inc.php @@ -95,6 +95,14 @@ 'mysql' != $t_database_type, array( false => "'mysql' driver is deprecated as of PHP 5.5.0, please use 'mysqli' instead" ) ); + + check_print_test_warn_row( + 'mysqli.allow_local_infile php.ini directive is set to 0', + !ini_get_bool( 'mysqli.allow_local_infile' ), + array( false => 'mysqli.allow_local_infile should be disabled to prevent remote attackers to access local files ' + . '(see issue #23173).' ) + ); + } if( db_is_mssql() ) { diff --git a/admin/check/index.php b/admin/check/index.php index 3e6241703d..6979bfaee9 100644 --- a/admin/check/index.php +++ b/admin/check/index.php @@ -191,5 +191,14 @@ function mode_url( $p_all, $p_errors ) {

All tests passed.

+ +

+ For security reasons, you should delete (or at least restrict access to) the + admin directory. + Refer to the + MantisBT Admin Guide + for further details. +

+ diff --git a/docbook/Admin_Guide/en-US/Installation.xml b/docbook/Admin_Guide/en-US/Installation.xml index 5772273f08..8aed2b577c 100644 --- a/docbook/Admin_Guide/en-US/Installation.xml +++ b/docbook/Admin_Guide/en-US/Installation.xml @@ -677,21 +677,35 @@ tar -xf filename.tar Test your configuration Load up admin/check/index.php - to validate if everything is setup correctly. + to validate whether everything is setup correctly, and + take corrective action as needed. Delete the admin folder - For security reasons, the scripts within this directory - should not be accessible on a live MantisBT site or on any - installation that is accessible via the Internet. - - Once you have confirmed that the install/upgrade - was successful, you should delete this directory + Once you have confirmed that the install or upgrade + process was successful, you should delete this directory rm -r admin + For security reasons, the scripts within this directory + should not be freely accessible on a live MantisBT site, + particularly one which is accessible via the Internet, as + they can allow unauthorized people (e.g. hackers) to gain + technical knowledge about the system, as well as perform + administrative tasks. + + + Omitting this important step will leave your MantisBT + instance exposed to several potentially severe attacks, e.g. + + issue #23173 (if + + mysqli.allow_local_infile + is enabled in php.ini). + +