View Issue Details

IDProjectCategoryView StatusLast Update
0023211mantisbtsecuritypublic2017-10-14 14:11
Reporterhloehnert Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Summary0023211: Warning regarding admin-folder, even if access is restricted
Description

With commit
https://github.com/mantisbt/mantisbt/commit/d6d7dc2dc7473637c8ac17a78c0374f16981f409
the warning for the admin-folder was changed to "admin directory should be removed, or access to it restricted."

But if I restrict the access to it with an .htaccess-file, I still get this warning.
If I try to access the admin folder I get
Forbidden
You don't have permission to access /mantis/admin/ on this server.
in my browser.

So I think the warning is not correct.

Steps To Reproduce

add .htaccess file to admin-folder:

# Apache 2.4
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

# Apache 2.2
<IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
</IfModule>
TagsNo tags attached.

Relationships

related to 0023179 closeddregad Login page no longer warns about 'admin' directory being present 
related to 0023476 closedatrol Can't login if admin directory has restricted access 

Activities

atrol

atrol

2017-08-11 09:30

developer   ~0057438

or access to it restricted

Could you try if restricting access by removing permissions on operating system level works?

hloehnert

hloehnert

2017-08-11 10:05

reporter   ~0057439

By removing permission on operating system the warning is gone.

In my installation the web-server is running on a LINUX-machine and the MANTIS-application is actually located on a mounted WINDOWS-folder.
So I would prefer to restrict the access with an .htaccess-file.
Is it possible?

atrol

atrol

2017-08-11 10:25

developer   ~0057440

Is it possible?

I don't think so, as the message You don't have permission to access ... comes from the web server before Mantis is involved.

Furthermore keep security in mind.
In decreasing order in terms of security:

  1. remove the folder
  2. remove access permissions on operating system level
  3. restrict the access with an .htaccess-file

and the MANTIS-application is actually located on a mounted WINDOWS-folder

Just out of curiosity, what's the advantage of that?
It's certainly not optimal in terms of performance.

atrol

atrol

2017-08-11 10:26

developer   ~0057441

Reminder sent to: dregad

Maybe just reword the message?

dregad

dregad

2017-08-11 10:39

developer   ~0057442

This code was really written based on the admin guide's instructions, i.e. deleting the directory; I also tested by removing read/execute access to it, but didn't consider .htaccess restrictions.

As workaround you can disable admin checks $g_admin_checks = OFF;, or physically restrict access to the directory as pointed out by atrol.

I need to check what can be done to detect .htaccess restrictions.

dregad

dregad

2017-08-11 11:03

developer   ~0057443

Last edited: 2017-08-11 11:05

Maybe just reword the message?

Probably better to try and check for accessibility from a web server instead of filesystem point of view.

@hloehnert can you try like this ? (note, I did not actually test this)

diff --git a/login_page.php b/login_page.php
index 388da3790..bf42900a6 100644
--- a/login_page.php
+++ b/login_page.php
@@ -143,8 +143,9 @@ $t_upgrade_required = false;
 if( config_get_global( 'admin_checks' ) == ON ) {
    # Check if the admin directory is accessible
    $t_admin_dir = dirname( __FILE__ ) . '/admin';
+   $t_admin_url = config_get_global('path') . 'admin';
    $t_admin_dir_is_accessible = @file_exists( $t_admin_dir . '/.' );
-   if( $t_admin_dir_is_accessible ) {
+   if( is_readable( $t_admin_url ) ) {
        $t_warnings[] = lang_get( 'warning_admin_directory_present' );
    }

As a side note, this has the added benefit that the schema-based admin checks are executed, which is not possible when access is disabled at the filesystem level.

atrol

atrol

2017-08-11 11:52

developer   ~0057444

I don't think so, as the message You don't have permission to access ... comes from the web server before Mantis is involved.

I wrote nonsense, as I wasn't aware at that moment that we are talking about login_page.php but not the content in admin folder itself.

dregad

dregad

2017-08-11 11:58

developer   ~0057445

Please ignore 0023211:0057443 - it does not work. I'll try to come up with a different approach.

dregad

dregad

2017-08-11 12:09

developer   ~0057446

See PR https://github.com/mantisbt/mantisbt/pull/1151, that seems to work with .htaccess AFAICT, but I need to do some more testing.

Please test on your end, and let me know your feedback.

hloehnert

hloehnert

2017-08-15 05:59

reporter   ~0057463

Please test on your end, and let me know your feedback.

I use SSL with a self-signed certificate.
So PR https://github.com/mantisbt/mantisbt/pull/1151 with the GuzzleHttp-solution is not working for me, because it fails with an exception 'SSL certificate problem' and falls back to the file-based check.
As result I still get the warning regarding the admin-folder, though access to the admin-folder is restricted via .htaccess-file.

and the MANTIS-application is actually located on a mounted WINDOWS-folder
Just out of curiosity, what's the advantage of that?
It's certainly not optimal in terms of performance.

My development-environment is on windows, the app itself is running on a virtual-machine with linux.
I want to have the source files on my windows machine. They are mounted on the linux-virtual machine.
Our production system is completely running on linux - so there the access restriction on operating system level is possible.

atrol

atrol

2017-08-15 06:15

developer   ~0057464

My development-environment is on windows, the app itself is running on a virtual-machine with linux.

So we are talking about a development-environment with your own config_inc.php.
I think that disabling admin checks by setting $g_admin_checks = OFF; is a good solution for that.

@dregad do you still see the need to change anything more than just enhancing the warning message?
Consider also https://github.com/mantisbt/mantisbt/pull/1151#issuecomment-322397528
Quite a lot of potential issues, but not that much benefit, maybe even decreased security.

hloehnert

hloehnert

2017-08-15 06:48

reporter   ~0057466

Basically yes - but I want to keep the committed files in sync with the production environment as much as possible and want my development-environment behave the same like the production one.
Otherwise I have to maintain 2 versions of config_inc.php.

And as @dregad mentioned, the solution with a check from a web-server point of view has a benefit:

this has the added benefit that the schema-based admin checks are executed, which is not possible when access is disabled at the filesystem level.

hloehnert

hloehnert

2017-08-15 06:53

reporter   ~0057467

Additional to my previous note:
See it more as a test-environment, where we try new developments as our users can test their inputs on it, too.

atrol

atrol

2017-08-15 08:11

developer   ~0057468

See it more as a test-environment, where we try new developments as our users can test their inputs on it, too.

@hloehnert what you might need is some kind of deployment pipeline.
Development -> Test -> Production
Typically you don't want your testers to waste time in using your current development that might contain breaking changes.
A simple script that copies your development environment to test environment without copying the admin directory (or removing it) could do the job.

Otherwise I have to maintain 2 versions of config_inc.php.

That's what I'm doing for best performance when going from Test to Production, set $g_admin_checks = OFF;

There are some more reasons to have own versions of config_inc.php during development, test and production.
e.g. settings like $g_display_errors, $g_show_detailed_errors, $g_stop_on_errors or $g_log_level.

hloehnert

hloehnert

2017-08-15 10:39

reporter   ~0057470

I agree, but the productive-relevant settings in config_inc.php are not explicitly separated from the debug/log-relevant settings.
So keeping own versions of it will produce redundancy, which I want to avoid.

A solution I think about now, is to work with isset($_SERVER['SERVER_NAME']) constructs in config_inc.php to set some configs differently.

atrol

atrol

2017-08-15 11:04

developer   ~0057471

A solution I think about now, is to work with isset($_SERVER['SERVER_NAME']) constructs in config_inc.php to set some configs differently.

Might help, not sure you are aware that there is already a similar special handling for localhost
https://github.com/mantisbt/mantisbt/blob/063cce6182568cf2eba81e3ca59cdd67606e7bab/config_defaults_inc.php#L4094

hloehnert

hloehnert

2017-08-15 11:55

reporter   ~0057473

Might help, not sure you are aware that there is already a similar special handling for localhost

This assumes I run my browser on 'localhost', what I actual don't do. My server is a pure server-installation without a graphical user interface.

atrol

atrol

2017-08-15 13:26

developer   ~0057474

@hloehnert 0023211:0057471 was just a hint for an example how to implement server dependant configuration.