CVE-2008-4687
published 2008-10-22CVE-2008-4687: manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which…
PriorityP266critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
67.45%
99.2th percentile
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mantis | mantis | <= 1.1.3 | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
| mantis | mantis | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to manage_proj_page.php containing PHP code injection sequences in the 'sort' parameter, particularly patterns breaking out of array context such as ']); ↗
- →Look for HTTP POST requests to manage_proj_page.php with a custom 'Cmd' header containing base64-encoded payloads, used to pass the PHP eval payload via $_SERVER[HTTP_CMD] ↗
- →Flag HTTP requests to manage_proj_page.php whose POST body 'sort' parameter contains eval, base64_decode, or error_reporting function calls indicative of PHP code injection ↗
- →Monitor for Mantis versions 1.1.3 and earlier (pre-1.1.4) as these are confirmed vulnerable; version string is detectable from login_page.php response body matching /Mantis ([0-9]+\.[0-9]+\.[0-9]+)/ ↗
- ·Exploitation requires prior authentication; the attacker must have valid Mantis credentials before the RCE payload can be delivered to manage_proj_page.php ↗
- ·The default installation path used by the Metasploit module is /mantisbt/; deployments under different base paths will require adjusted detection rules targeting the correct URI prefix ↗
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mantis: code execution by registered users via sort parameter to manage_proj_page.php
vendor_redhat·CVSS 9.0
CVE-2008-4687 [CRITICAL] mantis: code execution by registered users via sort parameter to manage_proj_page.php
mantis: code execution by registered users via sort parameter to manage_proj_page.php
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
GHSA
GHSA-hv4w-qf5w-5wqc: manage_proj_page
ghsa_unreviewed·2022-05-14
CVE-2008-4687 [HIGH] CWE-94 GHSA-hv4w-qf5w-5wqc: manage_proj_page
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
No detection rules found.
Exploit-DB
Mantis Bug Tracker 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)
exploitdb·2018-05-10
CVE-2008-4687 Mantis Bug Tracker 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)
Mantis Bug Tracker 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Mantis manage_proj_page PHP Code Execution',
'Description' => %q{
Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote
Code Execution vulnerability in the sort parameter of the
manage_proj_page.php page.
},
'Author' => [
'EgiX', # Exploit-DB Entry Author
'Lars Sorenson' # MSF module author
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '6768'],
['CVE', '2008-4687'],
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Mantis 'Oct 16, 2008',
'DefaultTarget' => 0))
register_options(
[
Opt
Exploit-DB
Mantis Bug Tracker 1.1.3 - Remote Code Execution
exploitdb·2008-10-16
CVE-2008-4687 Mantis Bug Tracker 1.1.3 - Remote Code Execution
Mantis Bug Tracker 1.1.3 - Remote Code Execution
---
# milw0rm.com [2008-10-16]
Metasploit
Mantis manage_proj_page PHP Code Execution
metasploit
Mantis manage_proj_page PHP Code Execution
Mantis manage_proj_page PHP Code Execution
Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote Code Execution vulnerability in the sort parameter of the manage_proj_page.php page.
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679http://secunia.com/advisories/32314http://secunia.com/advisories/32975http://securityreason.com/securityalert/4470http://www.gentoo.org/security/en/glsa/glsa-200812-07.xmlhttp://www.mantisbt.org/bugs/changelog_page.phphttp://www.mantisbt.org/bugs/view.php?id=0009704http://www.openwall.com/lists/oss-security/2008/10/19/1http://www.securityfocus.com/bid/31789https://bugs.gentoo.org/show_bug.cgi?id=242722https://exchange.xforce.ibmcloud.com/vulnerabilities/45942https://www.exploit-db.com/exploits/44611/https://www.exploit-db.com/exploits/6768http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679http://secunia.com/advisories/32314http://secunia.com/advisories/32975http://securityreason.com/securityalert/4470http://www.gentoo.org/security/en/glsa/glsa-200812-07.xmlhttp://www.mantisbt.org/bugs/changelog_page.phphttp://www.mantisbt.org/bugs/view.php?id=0009704http://www.openwall.com/lists/oss-security/2008/10/19/1http://www.securityfocus.com/bid/31789https://bugs.gentoo.org/show_bug.cgi?id=242722https://exchange.xforce.ibmcloud.com/vulnerabilities/45942https://www.exploit-db.com/exploits/44611/https://www.exploit-db.com/exploits/6768
2008-10-22
Published