View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0037130mantisbtauthenticationpublic2026-05-14 08:092026-05-14 10:34
Reporterdombn Assigned Tocommunity  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.28.2 
Target Version2.28.3Fixed in Version2.28.3 
Summary0037130: login_password_page.php: CSRF validation fails when called via auth_reauthenticate() (since 2.28.2)
Description

Since 2.28.2, login_password_page.php begins with form_security_validate('login') (introduced by commit 75b10b39, "Add CSRF protection to login process"). This breaks the re-authentication flow.

Root cause:

auth_reauthenticate() redirects via print_header_redirect() (a plain HTTP GET redirect) to login_password_page.php?reauthenticate=1&username=...&return=.... Because it is a GET redirect, there is no POST body and therefore no CSRF token. form_security_validate('login') is called before $f_reauthenticate is even read, so it always fails with ERROR #2800 for every re-authentication attempt.

In the normal two-step login flow (login_page.php → POST → login_password_page.php) the CSRF token is present and validation succeeds. The re-authentication path is the only affected code path.

Affected versions: 2.28.2, master (2.29.0-dev). Versions 2.28.0 and 2.28.1 are not affected.

Steps To Reproduce
  1. Log in to MantisBT with re-authentication enabled ($g_reauthentication = ON)
  2. Navigate to a page that triggers auth_reauthenticate() – e.g. account_page.php after the re-authentication token has expired
  3. MantisBT redirects to login_password_page.php?reauthenticate=1
  4. ERROR #2800 ("CSRF validation failed") is displayed immediately, before the password form is shown
Additional Information

Expected behavior: The password form is displayed and the user can re-authenticate normally.

Suggested fix:

Move $f_reauthenticate above the CSRF check and skip validation for that code path. The CSRF token generated later in the rendered form still protects the password submission itself (via login.php).

# auth_reauthenticate() redirects here via GET (no POST body, no CSRF token),
# bypassing login_page.php which normally generates the token. Skip validation
# for that path; the token rendered in the form still protects the subsequent
# password submission via login.php.
$f_reauthenticate = gpc_get_bool( 'reauthenticate', false );
if( !$f_reauthenticate ) {
    form_security_validate( 'login' );
}

$f_error                 = gpc_get_bool( 'error' );
$f_cookie_error          = gpc_get_bool( 'cookie_error' );
$f_return                = string_sanitize_url( gpc_get_string( 'return', '' ) );
$f_username              = trim( gpc_get_string( 'username', '' ) );
TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0037011 closeddregad CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference 

Activities

dombn

dombn

2026-05-14 08:11

reporter   ~0071105

Reproduced on the official MantisBT instance (2.29.0-dev-master-6fce5960e) by navigating to account_page.php while logged in. auth_reauthenticate() redirected to login_password_page.php?reauthenticate=1 via GET, triggering the CSRF validation failure immediately — before the password form was ever
displayed.

grafik.png (137,520 bytes)   
grafik.png (137,520 bytes)   
dombn

dombn

2026-05-14 08:13

reporter   ~0071106

The regression was introduced by commit 75b10b39 ("Add CSRF protection to login process", 2026-04-11), which was included in the 2.28.2 release.
dombn

dombn

2026-05-14 08:24

reporter   ~0071108

Fix submitted as GitHub Pull Request: https://github.com/mantisbt/mantisbt/pull/2220
dregad

dregad

2026-05-14 09:49

developer   ~0071109

@dombn many thanks for catching this regression and providing a PR. Sorry I failed to test this code path before releasing 2.28.2. I'll review and test the patch, and will work on releasing 2.28.3 as soon as possible.
dregad

dregad

2026-05-14 10:06

developer   ~0071110

I know why I didn't catch this in my local tests - I had set $g_form_security_validation = OFF for another test and forgot to revert it back to ON afterwards �

Related Changesets

MantisBT: master-2.28 75b10b39

2026-04-11 18:49

dregad


Details Diff		 Add CSRF protection to login process

Improves security, reducing risk of a vulnerability escalating its
impact.

As recommended by @siunam in Issue 0037011.		 Affected Issues
0037011, 0037130
mod - login.php Diff File
mod - login_page.php Diff File
mod - login_password_page.php Diff File

MantisBT: master-2.28 b6faebd5

2026-05-14 08:20

dombn

Committer: dregad


Details Diff		 Fix CSRF validation failure in reauthenticate flow

auth_reauthenticate() redirects to login_password_page.php via GET,
bypassing login_page.php which normally generates the CSRF token.
The form_security_validate() call therefore always fails with
ERROR #2800, making re-authentication impossible.

Fix: read $f_reauthenticate before the CSRF check and skip validation
for that path. The token rendered in the form still protects the
subsequent password submission via login.php.

Fixes 0037130, PR https://github.com/mantisbt/mantisbt/pull/2220		 Affected Issues
0037130
mod - login_password_page.php Diff File