Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 5 Aug 2017 01:15:23 +0200
From: Damien Regad <>
Subject: CVE-2017-12419: Arbitrary File Read in MantisBT install.php script

If, after a successful installation of MantisBT on MySQL/MariaDB the
administrator does not remove the 'admin' directory (as recommended in
the "Post-installation and upgrade tasks" section of the MantisBT Admin
Guide [1]), and the MySQL client has a local_infile setting enabled (in
php.ini mysqli.allow_local_infile, or the MySQL client config file,
depending on the PHP setup), an attacker may take advantage of MySQL's
"connect file read" feature [2] to remotely access files on the MantisBT

Affected versions: All 1.x and 2.x
Fixed in versions: N/A

At the moment, we do not have a way to patch this vulnerability from
the code, so we advise administrators to secure their installations
following our recommendation (i.e. deleting the 'admin' directory,
disabling mysqli.allow_local_infile in php.ini). As a stopgap measure,
we have improved documentation and added warnings in several places to
better inform administrators of the risks they incur.

- Reported by aLLy from ONSEC (

- MantisBT issue tracker


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ