MantisBT: master-2.27 966554a1

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.27 2025-05-14 12:39 master-2.27 433ba1cc
Affected Issues  0035967: CVE-2025-47776: Authentication bypass for some passwords due to PHP type juggling
Changeset

Check password with strict string comparison

Due to an incorrect use of loose instead of strict comparison in the
authentication code, PHP type juggling will cause interpretation of
certain MD5 hashes as numbers, specifically those matching scientific
notation.

On MantisBT instances configured to use the MD5 login method, user
accounts having a password hash evaluating to zero (i.e. matching regex
^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing the
victim's username to login without knowledge of their actual password,
using any other password having a hash evaluating to zero, for example
comito5 (0e579603064547166083907005281618).

Fixes 0035967, CVE-2025-47776, GHSA-4v8w-gg5j-ph37
mod - core/authentication_api.php Diff File