Post · bonfire.cafe

@harrysintonen@infosec.exchange · 2 weeks ago

Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776).

Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access.

The root cause of this bug is the incorrect use of == to match the password hash:

if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password )

The fix is to use === for the comparison.

This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability. https://mantisbt.org/download.php

#CVE_2025_47776 #infosec #cybersecurity

Root cause of CVE-2025-47776 vulnerability: Use of == instead of === to compare password hashes.

Harry Sintonen

@harrysintonen@infosec.exchange replied · 2 weeks ago

It was somewhat difficult to find the old history of the MantisBT source code, but as far as I can tell this vulnerability was added in 2001-10-24 version 0.15.8 (the first version that added MD5 hashed password support).

The vulnerability is thus 24 years and 8 days old as of today.

Harry Sintonen

@harrysintonen@infosec.exchange replied · 2 weeks ago

You can check the user database for affected user accounts. For example if the DB is MySQL:

SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0 no JS en

Automatic federation enabled