This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: MantisBT allows arbitrary password resets via an empty `confirm_hash` in `verify.php`. π **Consequences**: Attackers gain **unauthenticated admin access** and can hijack any user account.β¦
π’ **Vendor**: MantisBT Team. π¦ **Product**: MantisBT (Open-source bug tracker). π **Affected Versions**: **2.3.0 and earlier**. β οΈ **Note**: Newer versions may be patched, but this specific range is vulnerable.
π **Threshold**: **LOW**. π« **Auth Required**: **None**. π **Config**: Simple HTTP request to `verify.php`. β‘ **Ease**: Extremely easy to exploit via a single crafted request with an empty hash. No complex setup needed.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exp**: **YES**. π§ͺ **PoC Available**: Yes, via Nuclei templates and security advisories (e.g., hyp3rlinx). π **Wild Exploitation**: High risk due to simplicity.β¦
π **Self-Check**: Scan for `verify.php` endpoints. π§ͺ **Test**: Send request with `confirm_hash=` (empty). β οΈ **Indicator**: If password reset succeeds or no error occurs, you are vulnerable.β¦
π§ **Official Fix**: **YES**. π **Date**: Advisory published April 16, 2017. π **Action**: Upgrade to a version **newer than 2.3.0**. β **Status**: The issue was confirmed and addressed by the MantisBT team.
Q9What if no patch? (Workaround)
π§ **Workaround**: If patching is delayed, **disable password reset functionality** via configuration. π **Access Control**: Restrict access to `verify.php` via WAF or firewall rules.β¦
π₯ **Urgency**: **HIGH**. π¨ **Priority**: **Critical**. β‘ **Reason**: Unauthenticated admin access is a severe threat. π **Action**: Patch **immediately**. Do not wait.β¦