Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4v8w-gg5j-ph37: MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling

Due to an incorrect use of loose (==) instead of strict (===) comparison in the authentication code, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.

Impact

On MantisBT instances configured to use the MD5 login method, user accounts having a password hash evaluating to zero (i.e. matching regex ^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing the victim’s username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example comito5 (0e579603064547166083907005281618).

No password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.

Patches

Fixed in 2.27.2.

Workarounds

Check the database for vulnerable accounts, and change those users’ passwords, e.g. for MySQL:

SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'

Credits

Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.

ghsa
Open in Source
#sql#git#php#auth

Due to an incorrect use of loose (==) instead of strict (===) comparison in the authentication code, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.

Impact

On MantisBT instances configured to use the MD5 login method, user accounts having a password hash evaluating to zero (i.e. matching regex ^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing the victim’s username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example comito5 (0e579603064547166083907005281618).

No password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.

Patches

Fixed in 2.27.2.

Workarounds

Check the database for vulnerable accounts, and change those users’ passwords, e.g. for MySQL:

SELECT username, email FROM mantis_user_table WHERE password REGEXP ‘^0+[Ee][0-9]+$’

Credits

Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.

References

  • GHSA-4v8w-gg5j-ph37
  • mantisbt/mantisbt@966554a
  • https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782
  • https://mantisbt.org/bugs/view.php?id=35967

ghsa: Latest News

GHSA-7vjm-6qgq-3mrq: Shaman has soundness issues and is unmaintained
ghsa