CVE-2017-7615
published 2017-04-16CVE-2017-7615: MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
PriorityP181high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
90.86%
99.8th percentile
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mantisbt | mantisbt | <= 2.3.0 | — |
| mantisbt | mantisbt | >= 1.3.0-rc.2 < 1.3.10 | 1.3.10 |
| mantisbt | mantisbt | >= 2.0.0 < 2.2.4 | 2.2.4 |
| mantisbt | mantisbt | >= 2.3.0 < 2.3.1 | 2.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring HTTP GET requests to verify.php with an empty confirm_hash parameter (confirm_hash=), which bypasses the hash comparison check at verify.php line 66. ↗
- →Look for the presence of account_update_token in HTTP responses to verify.php, followed by a POST to account_update.php — this two-step sequence is the core exploit flow. ↗
- →Match HTTP response body for the hidden account_update_token field as a confirmation of successful exploit trigger. ↗
- →Flag unauthenticated POST requests to account_update.php containing verify_user_id and account_update_token fields, indicating a password hijack attempt. ↗
- →For the chained RCE variant (CVE-2017-7615 + CVE-2019-15715), detect POST requests to adm_config_set.php creating dot_tool or relationship_graph_enable config options from unauthenticated or newly-hijacked sessions. ↗
- →Use the Shodan favicon hash 662709064 or FOFA icon_hash=662709064 to identify internet-exposed MantisBT instances for proactive scanning. ↗
- ·The vulnerability only affects MantisBT versions >= 1.3.0 and 2.x up to 2.3.0; the 1.2.x branch is NOT affected. ↗
- ·The exploit guesses user IDs (starting with id=1 for administrator); detections should account for sequential or iterated id values in the query string. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MantisBT allows arbitrary password reset
osv·2022-05-13
CVE-2017-7615 [HIGH] MantisBT allows arbitrary password reset
MantisBT allows arbitrary password reset
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
GHSA
MantisBT allows arbitrary password reset
ghsa·2022-05-13
CVE-2017-7615 [HIGH] CWE-640 MantisBT allows arbitrary password reset
MantisBT allows arbitrary password reset
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
No detection rules found.
Exploit-DB
Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
exploitdb·2020-09-18·CVSS 8.8
CVE-2019-15715 [HIGH] Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
---
# Exploit Title: Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
# Date: 2020-09-17
# Vulnerability Discovery: hyp3rlinx, permanull
# Exploit Author: Nikolas Geiselman
# Vendor Homepage: https://mantisbt.org/
# Software Link: https://mantisbt.org/download.php
# Version: 1.3.0/2.3.0
# Tested on: Ubuntu 16.04/19.10/20.04
# CVE : CVE-2017-7615, CVE-2019-15715
# References:
# https://mantisbt.org/bugs/view.php?id=26091
# https://www.exploit-db.com/exploits/41890
'''
This exploit chains together two CVE's to achieve unauthenticated remote code execution.
The first portion of this exploit resets the Administrator password (CVE-2017-7615) discovered by John Page a.k.a hyp3rlinx, this portion was modified
Exploit-DB
Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset
exploitdb·2017-04-16·CVSS 8.8
CVE-2017-7615 [HIGH] Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset
Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset
---
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt
[+] ISR: ApparitionSec
Vendor:
www.mantisbt.org
Product:
Mantis Bug Tracker
v1.3.0 / 2.3.0
MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases.
Vulnerability Type:
Pre-Auth Remote Password Reset
CVE Reference:
CVE-2017-7615
Security Issue:
Mantis account verification page 'verify.php' allows resetting ANY user's password.
Remote un-authenticated attackers can send HTTP GET requests to Hijack ANY Mantis accounts by guessing the ID / username.
Vulnerable code:
In ver
Metasploit
MantisBT password reset
metasploit
MantisBT password reset
MantisBT password reset
MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.
Nuclei
MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
nuclei·CVSS 8.8
CVE-2017-7615 [HIGH] MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
Template:
id: CVE-2017-7615
# THIS TEMPLATE IS ONLY FOR DETECTING
# To carry out further attacks, please see reference[2] below.
# This template works by guessing user ID.
# MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded on reference[1].
info:
name: MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
author: bp0lr,dwisiswant0
severity: high
description: |
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized password
Bugzilla
CVE-2017-7615 mantis: Arbitrary password reset [fedora-all]
bugzilla·2017-04-18·CVSS 8.8
CVE-2017-7615 [HIGH] CVE-2017-7615 mantis: Arbitrary password reset [fedora-all]
CVE-2017-7615 mantis: Arbitrary password reset [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While
Bugzilla
CVE-2017-7615 mantis: Arbitrary password reset
bugzilla·2017-04-18·CVSS 8.8
CVE-2017-7615 [HIGH] CVE-2017-7615 mantis: Arbitrary password reset
CVE-2017-7615 mantis: Arbitrary password reset
MantisBT allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
Upstream patches:
- 2.3.x https://github.com/mantisbt/mantisbt/commit/cfbc5e54
- 2.2.x https://github.com/mantisbt/mantisbt/commit/46880ef6
- 1.3.x https://github.com/mantisbt/mantisbt/commit/14c61a8c
Upstream bug:
https://mantisbt.org/bugs/view.php?id=22690
References:
http://seclists.org/oss-sec/2017/q2/74
Discussion:
We are still shipping 1.2.x versions, not affected by this issue.
---
Created mantis tracking bugs for this issue:
Affects: fedora-all [bug 1442998]
http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txthttp://packetstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2017/04/16/2http://www.securityfocus.com/bid/97707https://mantisbt.org/bugs/view.php?id=22690https://www.exploit-db.com/exploits/41890/http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txthttp://packetstormsecurity.com/files/159219/Mantis-Bug-Tracker-2.3.0-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2017/04/16/2http://www.securityfocus.com/bid/97707https://mantisbt.org/bugs/view.php?id=22690https://www.exploit-db.com/exploits/41890/
2017-04-16
Published