View Issue Details

IDProjectCategoryView StatusLast Update
0023179mantisbtsecuritypublic2017-09-03 18:41
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version2.5.2Fixed in Version2.5.2 
Summary0023179: Login page no longer warns about 'admin' directory being present
Description

Commit MantisBT master 9da643a6 modified the admin checks to remove the logic checking for pre 1.0 upgrade steps.

However, it also (probably unintentionally) removed the check for admin directory presence, so administrators are no longer reminded that they should delete this directory, potentially leaving them exposed to security breaches.

TagsNo tags attached.

Relationships

related to 0023181 closeddregad Checks on login page are never executed if "admin" dir does not exist 
related to 0023173 confirmed CVE-2017-12419: Arbitrary File Read inside install.php script 
related to 0023211 assigneddregad Warning regarding admin-folder, even if access is restricted 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-2.5 d6d7dc2d

2017-08-03 12:54

dregad


Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173
Affected Issues
0023173, 0023179, 0023185
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-1.3.x 21a15b88

2017-08-03 12:54

dregad


Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173

Backported from master-2.5 branch d6d7dc2dc7473637c8ac17a78c0374f16981f409
Affected Issues
0023173, 0023179, 0023186
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File