View Issue Details

IDProjectCategoryView StatusLast Update
0024089mantisbtauthenticationpublic2018-03-31 19:58
Reporteromerfirmak Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.12.0 
Target Version2.13.0Fixed in Version2.13.0 
Summary0024089: POST request to login_password_page.php return 405 when admin folder is deleted or access restricted
Description

Hi,

So when I delete or chmod 000 admin folder, POST request to login_password_page.php returns 405.

TagsNo tags attached.
Attached Files

Relationships

related to 0023476 closedatrol Can't login if admin directory has restricted access 

Activities

dregad

dregad

2018-03-08 11:37

developer   ~0059120

Can you clarify what POST request you are talking about ? Please provide detailed steps to reproduce the error.

omerfirmak

omerfirmak

2018-03-08 12:14

reporter   ~0059121

Sorry for that, attached file should be enough i guess.
Error only occurs when I "chmod 000" the admin folder. If I delete or rename it, looks like it works fine.

mantis405.json (4,176 bytes)   
{
  "log": {
    "version": "1.1",
    "creator": {
      "name": "Firefox",
      "version": "58.0.2"
    },
    "browser": {
      "name": "Firefox",
      "version": "58.0.2"
    },
    "pages": [
      {
        "startedDateTime": "2018-03-08T20:07:34.841+03:00",
        "id": "page_1",
        "title": "405 Not Allowed",
        "pageTimings": {
          "onContentLoad": -1,
          "onLoad": -1
        }
      }
    ],
    "entries": [
      {
        "pageref": "page_1",
        "startedDateTime": "2018-03-08T20:07:34.841+03:00",
        "time": null,
        "request": {
          "bodySize": 32,
          "method": "POST",
          "url": "http://ankasys.synology.me/mantisbt/login_password_page.php",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "Host",
              "value": "ankasys.synology.me"
            },
            {
              "name": "User-Agent",
              "value": "Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0"
            },
            {
              "name": "Accept",
              "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
            },
            {
              "name": "Accept-Language",
              "value": "en-US,en;q=0.5"
            },
            {
              "name": "Accept-Encoding",
              "value": "gzip, deflate"
            },
            {
              "name": "Referer",
              "value": "http://ankasys.synology.me/mantisbt/login_page.php"
            },
            {
              "name": "Content-Type",
              "value": "application/x-www-form-urlencoded"
            },
            {
              "name": "Content-Length",
              "value": "32"
            },
            {
              "name": "Cookie",
              "value": "MANTIS_collapse_settings=|sidebar:1; stay_login=0; MANTIS_secure_session=0; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=g3j5gh4is7oei4dfoids9mtqj2"
            },
            {
              "name": "Connection",
              "value": "keep-alive"
            },
            {
              "name": "Upgrade-Insecure-Requests",
              "value": "1"
            },
            {
              "name": "Pragma",
              "value": "no-cache"
            },
            {
              "name": "Cache-Control",
              "value": "no-cache"
            }
          ],
          "cookies": [],
          "queryString": [],
          "postData": {
            "mimeType": "application/x-www-form-urlencoded",
            "params": [],
            "text": "return=index.php&username=ankaoi"
          },
          "headersSize": 673
        },
        "response": {
          "status": 405,
          "statusText": "Not Allowed",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "Server",
              "value": "nginx"
            },
            {
              "name": "Date",
              "value": "Thu, 08 Mar 2018 17:07:34 GMT"
            },
            {
              "name": "Content-Type",
              "value": "text/html"
            },
            {
              "name": "Content-Length",
              "value": "166"
            },
            {
              "name": "Connection",
              "value": "keep-alive"
            },
            {
              "name": "Keep-Alive",
              "value": "timeout=20"
            }
          ],
          "cookies": [],
          "content": {
            "mimeType": "text/html",
            "size": 166,
            "text": "<html>\r\n<head><title>405 Not Allowed</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>405 Not Allowed</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"
          },
          "redirectURL": "",
          "headersSize": 174,
          "bodySize": 340
        },
        "cache": {},
        "timings": {
          "blocked": 0,
          "dns": 0,
          "connect": 0,
          "ssl": 0,
          "send": 0,
          "wait": 86,
          "receive": 0
        },
        "serverIPAddress": "176.43.7.89",
        "connection": "80"
      }
    ]
  }
}
mantis405.json (4,176 bytes)   
atrol

atrol

2018-03-08 13:35

developer   ~0059124

Last edited: 2018-03-08 13:36

I am wondering if we can remove all that checks

$t_upgrade_required = false;
if( config_get_global( 'admin_checks' ) == ON && file_exists( dirname( __FILE__ ) .'/admin' ) ) {
    # since admin directory and db_upgrade lists are available check for missing db upgrades
    # if db version is 0, we do not have a valid database.
    $t_db_version = config_get( 'database_version', 0 );
    if( $t_db_version == 0 ) {
        $t_warnings[] = lang_get( 'error_database_no_schema_version' );
    }

    # Check for db upgrade for versions > 1.0.0 using new installer and schema
    require_once( 'admin' . DIRECTORY_SEPARATOR . 'schema.php' );
    $t_upgrades_reqd = count( $g_upgrade ) - 1;

    if( ( 0 &lt; $t_db_version ) &&
            ( $t_db_version != $t_upgrades_reqd ) ) {

        if( $t_db_version &lt; $t_upgrades_reqd ) {
            $t_upgrade_required = true;
        }
    }
}

from login_password_page.php as we check already in login_page.php

atrol

atrol

2018-03-08 14:32

developer   ~0059125

I wondered why it worked on page login_page.php but not login_password_page.php.
It's because we check for /admin/. in login_page.php but /admin in login_password_page.php

The checks can't be removed at the moment, as it's needed to populate hidden field install so that login.php executes admin/install.php if there is an outdated database schema.

atrol

atrol

2018-03-08 14:33

developer   ~0059126

PR https://github.com/mantisbt/mantisbt/pull/1314

Related Changesets

MantisBT: master 9debbfb5

2018-03-08 09:24

atrol

Committer: vboctor


Details Diff
Correct access check for admin folder

Fixes 0024089
Fixes 0023476
Affected Issues
0023476, 0024089
mod - login_password_page.php Diff File