This is the release announcement for releases including the fixes for a critical security issue (#22690 for CVE-2017-7615), allowing a remote attacker to reset any user’s password, on all MantisBT instances where user signup or password reset are enabled, via a vulnerability in the Account verification page (verify.php).
MantisBT since 1.3.0-rc.2 (included) is affected, as well as all 2.x releases. The issue will be fixed in versions 1.3.10, 2.2.4, and 2.3.1, to be released soon.
This issue has been fixed in release 1.3.10, 2.2.4, and 2.3.1 that we just published.
Due to the nature and criticality of the bug, we sent last night an advance notification to users that are registered on our bug tracker, providing the following patch that can mitigate the issue. If for any reason you can’t upgrade, go ahead and use the one line change below to patch your MantisBT instance.
Locate the if statement (at line 72 in 2.0.0-beta.3 and later, line 66 in older versions):
if( $f_confirm_hash != $t_token_confirm_hash ) {
change it to
if( $t_token_confirm_hash == null || $f_confirm_hash !== $t_token_confirm_hash ) {
You are strongly advised to patch your systems immediately.
We would like to take this opportunity to thank John Page aka hyp3rlinx from ApparitionSec (http://hyp3rlinx.altervista.org) for discovering, responsibly reporting and working with us towards resolution of this vulnerability.
Thanks,
-MantisBT Team