oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

MantisBT - Full admin access vulnerability

From: <7b4xrw+5q6jtt69cnwlw () guerrillamail com>
Date: Sun, 16 Apr 2017 13:08:27 +0000
A vulnerability exists in MantisBT where any users password can be reset:

Visiting /verify.php?id=XXX&confirm_hash=

where XXX is the userid of the user. id=1 is the default 'administrator' account if it still exists.

On a unpatched instance of mantisBT, this will provide a form to enter a new password for a user.

This works on any enabled account (including users with admin access) - providing an anonymous user with admin access 
to the system

The issue can be resolved by checking the value of $t_token_confirm_hash is not null in verify.php

i.e. changing the code to read:

if( $f_confirm_hash !== $t_token_confirm_hash || null === $t_token_confirm_hash ) {
        trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}





----
Sent using Guerrillamail.com
Block or report abuse: https://www.guerrillamail.com//abuse/?a=TlJnSB4FQKEHgRqt0HIWYQDUA8WA19lHxqhOMtz5Bg%3D%3D
Previous By Date Next
Previous By Thread Next

Current thread: