Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 5 Aug 2017 01:15:23 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-12419: Arbitrary File Read in MantisBT install.php script

If, after a successful installation of MantisBT on MySQL/MariaDB the
administrator does not remove the 'admin' directory (as recommended in
the "Post-installation and upgrade tasks" section of the MantisBT Admin
Guide [1]), and the MySQL client has a local_infile setting enabled (in
php.ini mysqli.allow_local_infile, or the MySQL client config file,
depending on the PHP setup), an attacker may take advantage of MySQL's
"connect file read" feature [2] to remotely access files on the MantisBT
server.

Affected versions: All 1.x and 2.x
Fixed in versions: N/A

At the moment, we do not have a way to patch this vulnerability from
the code, so we advise administrators to secure their installations
following our recommendation (i.e. deleting the 'admin' directory,
disabling mysqli.allow_local_infile in php.ini). As a stopgap measure,
we have improved documentation and added warnings in several places to
better inform administrators of the risks they incur.

Credits:
- Reported by aLLy from ONSEC (https://twitter.com/IamSecurity)

References:
- MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23173

[1]
http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon
[2] http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
    https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ