Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   MantisBT Vendors:
MantisBT Input Validation Flaws Let Remote Users Conduct Cross-Site Request Forgery and Open Redirect Attacks
SecurityTracker Alert ID:  1038538
SecurityTracker URL:
CVE Reference:   CVE-2017-7620   (Links to External Site)
Date:  May 23 2017
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.10, 2.3.0; possibly other versions
Description:   Two vulnerabilities were reported in MantisBT. A remote user can conduct cross-site request forgery attacks. A remote user can redirect the target user's browser to an arbitrary site.

A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will exploit an input validation flaw in 'string_api.php' and take actions on the target interface acting as the target user.

The vendor was notified on April 9, 2017.

John Page a.k.a hyp3rlinx reported this vulnerability.

The original advisory is available at:

A remote user can create a URL that, when loaded by the target user, will redirect the target user's browser to an arbitrary site. The 'return' parameter in 'login_page.php' is affected.

A demonstration exploit URL is provided:


Mahmoud Gamal from Seekurity reported this vulnerability.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote user can cause the target user's browser to be redirected to an arbitrary web site.

Solution:   The vendor has issued a fix (2.4.1).

The vendor advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [FD] CVE-2017-7620 Mantis Bug Tracker 1.3.10 / v2.3.0 CSRF Permalink Injection

[+] Credits: John Page a.k.a hyp3rlinx
[+] Website:
[+] Source:
[+] ISR: ApparitionSec


Mantis Bug Tracker
1.3.10 / v2.3.0

MantisBT is a popular free web-based bug tracking system. It is written in
PHP works with MySQL, MS SQL, and PostgreSQL databases.

Vulnerability Type:
CSRF Permalink Injection

CVE Reference:

Security Issue:
Remote attackers can inject arbitrary permalinks into the mantisbt Web
Interface if an authenticated user visits a malicious webpage.

Vuln code in "string_api.php" PHP file, under mantis/core/ did not account
for supplied backslashes.
Line: 270

# Check for URL's pointing to other domains

if( 0 == $t_type || empty( $t_matches['script'] ) ||
    3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {

    return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';


# Start extracting regex matches

$t_script = $t_matches['script'];
$t_script_path = $t_matches['path'];

<form action="


<form action="

Network Access:


Disclosure Timeline:
Vendor Notification: April 9, 2017
Vendor Release Fix: May 15, 2017
Vendor Disclosed: May 20, 2017
May 20, 2017 : Public Disclosure

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC