*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Mantis 1.2.10-1 distributed with Ubuntu Precise has a bug in
/usr/share/mantis/www/admin/install.php causing mantis-install to grant
privileges to wrong user@hostname combination. This is only relevant
when apache-server and database are not on the same host. The correct
grant should be [user]@[webserver hostname/IP] to grant only access to
webserver but grants privileges to [user]@[database host name] instead.
When mysql is running in hardened setup, this also causes installation
procedure to fail since webserver cannot use the database.
$t_result = @$g_db->Connect ( $f_hostname,
$f_admin_username, $f_admin_password, $f_database_name);
switch ($f_db_type) {
case 'mysql' :
case 'mysqli' :
//grant privileges
$t_query_grant ="GRANT ALL ON
`".$f_database_name."`.* TO `".$f_db_username."`@`".$f_hostname."` IDENTIFIED
BY '".$f_db_password."' ";
Correct implementation should perhaps take the IP/hostname of the
currently executed query and use that when granting privileges.
This bug has only very little security implications since unexpected and
unnecessary GRANT entry is created in mysql.user table but the new
account is still password protected and connections would only be
possible from other process on database host itself (or does mysql
support switching of user via SQL-command and local connection?).
Flagging it as "security" still, perhaps someone else might know a more
problematic scenario.
Current mantisbt-1.2.15 for download from mantisbt.org does not create
any users (see [1]), so this code might have been removed/fixed between
version 1.2.10 and 1.2.15 or may be an Ubuntu or Debian-specific
addition.
Version information:
Description: Ubuntu 12.04.3 LTS
Release: 12.04
ii mantis 1.2.10-1 web-
based bug tracking system
[1] http://www.mantisbt.org/forums/viewtopic.php?f=3&t=21663
** Affects: mantis (Ubuntu)
Importance: Undecided
Status: Incomplete
--
mantis install.php creates database user with wrong permissions
https://bugs.launchpad.net/bugs/1222713
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
