Mantis Bug Tracker Authentication Bypass Vulnerability Due to PHP Type Juggling

An authentication bypass vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.27.1 and prior. This issue arises from the incorrect use of loose comparison operators, allowing PHP type juggling to misinterpret certain MD5 hashes as numerical values, particularly those resembling scientific notation. In instances where the MD5 login method is enabled, an attacker can exploit this flaw by knowing the victim's username and using a password that hashes to zero, effectively bypassing the need for the actual password.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts by bypassing password authentication. This is particularly concerning as it involves accounts with password hashes that evaluate to zero, which can be exploited without any knowledge of the actual password.

Remediation

Users can upgrade to MantisBT version 2.27.2, where this vulnerability has been patched. For accounts already affected, it is recommended to change the passwords of users with vulnerable password hashes. Instructions for identifying these accounts are available in the vulnerability advisory.