Date: Sat, 5 Aug 2017 01:15:23 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: CVE-2017-12419: Arbitrary File Read in MantisBT install.php script If, after a successful installation of MantisBT on MySQL/MariaDB the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide ), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature  to remotely access files on the MantisBT server. Affected versions: All 1.x and 2.x Fixed in versions: N/A At the moment, we do not have a way to patch this vulnerability from the code, so we advise administrators to secure their installations following our recommendation (i.e. deleting the 'admin' directory, disabling mysqli.allow_local_infile in php.ini). As a stopgap measure, we have improved documentation and added warnings in several places to better inform administrators of the risks they incur. Credits: - Reported by aLLy from ONSEC (https://twitter.com/IamSecurity) References: - MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23173  http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon  http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ