Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Apr 2017 13:08:27 +0000
From: <>
To: "" <>
Subject: MantisBT - Full admin access vulnerability

A vulnerability exists in MantisBT where any users password can be reset:

Visiting /verify.php?id=XXX&confirm_hash=

where XXX is the userid of the user. id=1 is the default 'administrator' account if it still exists.

On a unpatched instance of mantisBT, this will provide a form to enter a new password for a user.

This works on any enabled account (including users with admin access) - providing an anonymous user with admin access to the system

The issue can be resolved by checking the value of $t_token_confirm_hash is not null in verify.php

i.e. changing the code to read:

if( $f_confirm_hash !== $t_token_confirm_hash || null === $t_token_confirm_hash ) {

Sent using
Block or report abuse:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ