CVE-2017-12419: Arbitrary File Read in MantisBT install.php script

[Damien Regad <dregad () mantisbt org>]

If, after a successful installation of MantisBT on MySQL/MariaDB the
administrator does not remove the 'admin' directory (as recommended in
the "Post-installation and upgrade tasks" section of the MantisBT Admin
Guide [1]), and the MySQL client has a local_infile setting enabled (in
php.ini mysqli.allow_local_infile, or the MySQL client config file,
depending on the PHP setup), an attacker may take advantage of MySQL's
"connect file read" feature [2] to remotely access files on the MantisBT
server.

Affected versions: All 1.x and 2.x
Fixed in versions: N/A

At the moment, we do not have a way to patch this vulnerability from
the code, so we advise administrators to secure their installations
following our recommendation (i.e. deleting the 'admin' directory,
disabling mysqli.allow_local_infile in php.ini). As a stopgap measure,
we have improved documentation and added warnings in several places to
better inform administrators of the risks they incur.

Credits:
- Reported by aLLy from ONSEC (https://twitter.com/IamSecurity)

References:
- MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23173

[1]
http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon
[2] http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
    https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html