MantisBT 2.28.3 and earlier versions contains a SQL injection vulnerability in core/history_api.php. The history_order configuration value is concatenated directly into a SQL ORDER BY clause without any sanitisation, parameterization, or validation against a whitelist.
An administrator can set this configuration value via the web UI (adm_config_set.php) or the REST API (PATCH /api/rest/config). The injected SQL then executes whenever any user views a bug with history entries.
Impact
- Sensitive data extraction from the entire bugtracker database including user credentials (cookie_string, password hashes), API tokens, and private issue data
- With MySQL FILE privilege: full RCE via INTO OUTFILE writing a PHP webshell to the web root
- The admin plants the payload once; any authenticated user viewing a bug with history triggers the injection
Patches
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Resources
Credits
McCaulay Hudson (@McCaulay) of watchTowr
References
MantisBT 2.28.3 and earlier versions contains a SQL injection vulnerability in core/history_api.php. The history_order configuration value is concatenated directly into a SQL ORDER BY clause without any sanitisation, parameterization, or validation against a whitelist.
An administrator can set this configuration value via the web UI (adm_config_set.php) or the REST API (PATCH /api/rest/config). The injected SQL then executes whenever any user views a bug with history entries.
Impact
Patches
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Resources
Credits
McCaulay Hudson (@McCaulay) of watchTowr
References