oss-sec mailing list archives
CVE-2017-12419: Arbitrary File Read in MantisBT install.php script
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 5 Aug 2017 01:15:23 +0200
If, after a successful installation of MantisBT on MySQL/MariaDB the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide [1]), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature [2] to remotely access files on the MantisBT server. Affected versions: All 1.x and 2.x Fixed in versions: N/A At the moment, we do not have a way to patch this vulnerability from the code, so we advise administrators to secure their installations following our recommendation (i.e. deleting the 'admin' directory, disabling mysqli.allow_local_infile in php.ini). As a stopgap measure, we have improved documentation and added warnings in several places to better inform administrators of the risks they incur. Credits: - Reported by aLLy from ONSEC (https://twitter.com/IamSecurity) References: - MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23173 [1] http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon [2] http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html
Current thread:
- CVE-2017-12419: Arbitrary File Read in MantisBT install.php script Damien Regad (Aug 04)