View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024089 | mantisbt | authentication | public | 2018-03-08 11:24 | 2018-03-31 19:58 |
Reporter | omerfirmak | Assigned To | atrol | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.12.0 | ||||
Target Version | 2.13.0 | Fixed in Version | 2.13.0 | ||
Summary | 0024089: POST request to login_password_page.php return 405 when admin folder is deleted or access restricted | ||||
Description | Hi, So when I delete or chmod 000 admin folder, POST request to login_password_page.php returns 405. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Can you clarify what POST request you are talking about ? Please provide detailed steps to reproduce the error. |
|
Sorry for that, attached file should be enough i guess. mantis405.json (4,176 bytes)
{ "log": { "version": "1.1", "creator": { "name": "Firefox", "version": "58.0.2" }, "browser": { "name": "Firefox", "version": "58.0.2" }, "pages": [ { "startedDateTime": "2018-03-08T20:07:34.841+03:00", "id": "page_1", "title": "405 Not Allowed", "pageTimings": { "onContentLoad": -1, "onLoad": -1 } } ], "entries": [ { "pageref": "page_1", "startedDateTime": "2018-03-08T20:07:34.841+03:00", "time": null, "request": { "bodySize": 32, "method": "POST", "url": "http://ankasys.synology.me/mantisbt/login_password_page.php", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Host", "value": "ankasys.synology.me" }, { "name": "User-Agent", "value": "Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" }, { "name": "Accept-Language", "value": "en-US,en;q=0.5" }, { "name": "Accept-Encoding", "value": "gzip, deflate" }, { "name": "Referer", "value": "http://ankasys.synology.me/mantisbt/login_page.php" }, { "name": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "name": "Content-Length", "value": "32" }, { "name": "Cookie", "value": "MANTIS_collapse_settings=|sidebar:1; stay_login=0; MANTIS_secure_session=0; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=g3j5gh4is7oei4dfoids9mtqj2" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Pragma", "value": "no-cache" }, { "name": "Cache-Control", "value": "no-cache" } ], "cookies": [], "queryString": [], "postData": { "mimeType": "application/x-www-form-urlencoded", "params": [], "text": "return=index.php&username=ankaoi" }, "headersSize": 673 }, "response": { "status": 405, "statusText": "Not Allowed", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Server", "value": "nginx" }, { "name": "Date", "value": "Thu, 08 Mar 2018 17:07:34 GMT" }, { "name": "Content-Type", "value": "text/html" }, { "name": "Content-Length", "value": "166" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Keep-Alive", "value": "timeout=20" } ], "cookies": [], "content": { "mimeType": "text/html", "size": 166, "text": "<html>\r\n<head><title>405 Not Allowed</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>405 Not Allowed</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n" }, "redirectURL": "", "headersSize": 174, "bodySize": 340 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 86, "receive": 0 }, "serverIPAddress": "176.43.7.89", "connection": "80" } ] } } |
|
I am wondering if we can remove all that checks
from login_password_page.php as we check already in login_page.php |
|
I wondered why it worked on page login_page.php but not login_password_page.php. The checks can't be removed at the moment, as it's needed to populate hidden field |
|