View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0037135mantisbtauthenticationpublic2026-05-18 02:272026-05-18 03:03
Reporterkhushal Assigned Tocommunity  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version2.28.2 
Target Version2.28.4Fixed in Version2.28.4 
Summary0037135: Fix CSRF validation failure in anonymous login
Description

Summary

The "Login Anonymously" entry point (login_anon.php) dead-ends on
APPLICATION ERROR #2800 (form security token invalid), making
anonymous login via the UI-exposed link unusable.

Root cause

login_anon.php builds its parameters and redirects directly to
login.php, bypassing login_page.php where the login CSRF token
is normally generated and seeded into the session. login.php calls
form_security_validate( 'login' ) unconditionally, so the
anonymous redirect always fails with ERROR #2800.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0037011 closeddregad CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference 
related to 0037130 closedcommunity login_password_page.php: CSRF validation fails when called via auth_reauthenticate() (since 2.28.2) 

Activities

dregad

dregad

2026-05-18 02:40

developer   ~0071126

This is another regression introduced by MantisBT master-2.28 75b10b39 (0037011) - see 0037130.

PR https://github.com/mantisbt/mantisbt/pull/2221

Related Changesets

MantisBT: master-2.28 75b10b39

2026-04-11 18:49

dregad


Details Diff		 Add CSRF protection to login process

Improves security, reducing risk of a vulnerability escalating its
impact.

As recommended by @siunam in Issue 0037011.		 Affected Issues
0037011, 0037130, 0037135
mod - login.php Diff File
mod - login_page.php Diff File
mod - login_password_page.php Diff File

MantisBT: master-2.28 c6ccd554

2026-05-18 03:00

dregad


Details Diff		 Fix anonymous login regression caused by CSRF token

Merging PR https://github.com/mantisbt/mantisbt/pull/2221, which
initially contained 2 fixes.

The first one (anonymous login) is merged by this.

The second for core/authentication_api.php (auth_reauthenticate()) was
reverted by the author following PR review, as the problem was already
fixed in Issue 0037130.

Keeping the sausage-making in Git history just in case a bug surfaces
later on.

Fixes 0037135		 Affected Issues
0037130, 0037135
mod - login_anon.php Diff File