View Issue Details

IDProjectCategoryView StatusLast Update
0026091mantisbtsecuritypublic2019-09-27 02:35
Reporterpermanull Assigned Toatrol  
Status closedResolutionfixed 
Product Version2.22.0 
Target Version2.22.1Fixed in Version2.22.1 
Summary0026091: CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability

The current code allows an attacker with administrative access to MantisBT to setup configuration options in a way that allows for command injection/command execution against the server. I ended up discovering this while playing a 'penetration testing' challenge that uses an older version of Mantis.

There are two different points where this is possible

One is the dot_tool config option which gets ingested here;

The other is the neato_tool configuration option which is ingested here;

Eventually these configuration options get used inside of the "output" function of the graph class here;

They are appended to $t_command which is later passed into $t_process = proc_open( $t_command, $t_descriptors, $t_pipes );

Because it's possible for an attacker to control both the config options dot_tool and neato_tool they can easily inject a crafted command such as "echo '<?php phpinfo(); ?>';" where ";" is being used to offset the addition of "-T" and $p_format variable, being performed by the code and avoiding it within the intended command to be executed.

I've submitted a request for a CVE of this but have not provided details of exploitation to MITRE yet.

Steps To Reproduce

Login to mantisbt as an administrator.
Navigate to Manage->Manage Configuration->Configuration Report.
Scroll down to "Create Configuration Option"

Type "relationship_graph_enable" into Configuration Option with a value of 1 to enable the graphs.
Hit "Create Configuration Option"

Scroll back down to "Create Configuration Option"
Type "dot_tool" into Configuration Option with a value of "touch /tmp/vulnerable;"
Hit "Create Configuration Option"

Visit: http://mantisbt/workflow_graph_img.php

List files in /tmp and find "vulnerable" has been created proving the command injection worked.

TagsNo tags attached.


has duplicate 0026162 closeddregad CVE-2019-15715: Command Execution / Injection Vulnerability 




2019-08-28 05:47

developer   ~0062672

Attatched a patch that prevents options neato_tool and dot_tool from being set in database.

26091-command-execution.patch (964 bytes)   
From 52018acd62058d40bcec0b0d1f5f3ee32c856ad2 Mon Sep 17 00:00:00 2001
From: Roland Becker <>
Date: Wed, 28 Aug 2019 11:39:42 +0200
Subject: [PATCH] Prevent arbitrary command execution of Mantis Administrators

Fixes #26091
 config_defaults_inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 6dc188dd6..516cd520e 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -4361,7 +4361,7 @@ $g_global_settings = array(
 	'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
 	'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
 	'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique',
-	'impersonate_user_threshold', 'email_retry_in_days'
+	'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool'



2019-08-28 05:49

developer   ~0062673

@permanull can you confirm that the attached patch fixes the issue?



2019-08-28 06:09

developer   ~0062674

Please let us know the CVE number when you have it.



2019-08-28 13:43

reporter   ~0062675

@atrol That should work, if someone had access to modify the configuration it would obviously still be possible but at that point I guess execution/access is assumed.

@dregad Here's the CVE ID CVE-2019-15715



2019-08-28 13:47

reporter   ~0062676

@atrol It may be worth also implementing escapeshellcmd when looking at the two variables for a more complete fix, prior to proc_open being executed as there's no instance where I see the user having to put arguments along with the binary path.



2019-08-28 14:01

reporter   ~0062677

This should also be taken into account when using escapeshellcmd or escapeshellarg;

My understanding of it however seems as if it wouldn't impact the code in mantis unless proc_open performs some form of escaping which will cancel out the original attempt at doing so, they do provide an alternative escape function though I've personally never been able to bypass the functionality of the original but something to keep in mind considering another escape is used here which I had also looked into but didn't find a way to abuse for the CTF/Pentesting Challenge I was playing.



2019-08-29 13:50

reporter   ~0062684

Don't know if you guys were able to see my previous notes, I'd marked them private.



2019-08-29 14:14

developer   ~0062685

We can see your private notes, but you would not be able to see our private notes.
So it makes no sense to communicate this way.

I think your notes describe another problem and should be discussed in a separate private issue without using private notes.
After that I will remove your private notes, so no one will see them after the issue is set to public.
At the moment, I am not sure if it's needed / makes sense to fix the problem that is described in your private notes.

@dregad do you agree?



2019-08-29 14:22

reporter   ~0062687

Looking at the problem described by those notes, the json_url function seems unreachable and is called as a last resort so exploitation of it is very unlikely even if character encoding or etc was off... so from the outside looking in I'd say that patching in that way for that specific function is a waste of time but would still suggest adding an escapeshellcmd to the proc_open where the graph system is vulnerable even though you can trust the user input now with the configuration in the panel having it blacklisted.



2019-09-21 12:00

developer   ~0062870

Last edited: 2019-09-21 12:01

@permanull apologies for the delay in taking care of this, I got sidetracked and then forgot about it.

As you have already confirmed that @atrol's patch addresses the problem, I'll commit that. Additionally, as an extra safety I'll add escapeshellcmd() call in graphviz_api.php, where the neato & dot tools are being used, even though at this point we could consider these configs' values to be trusted since they can only be set by someone already having access to the server's filesystem.

With regards to the use of escapeshellarg() in the url_get() function, this helper API is currently not used in MantisBT core; to my knowledge, only the Source Integration plugin is relying on it. As you correctly point out, shell_exec() is only a last resort. At some point I think we should make curl extension mandatory and get rid of that call. For now, I don't think it's worth taking any action here.

Related Changesets

MantisBT: master fc7668c8

2019-08-28 05:39:42


Committer: dregad Details Diff
Prevent arbitrary shell command execution

Prior to this, Administrators were able to edit 'dot_tool' and
'neato_tool' config options from the Manage Configuration Page

These can now only be set in the config_inc.php file.

Fixes 0026091, CVE-2019-15715

Signed-off-by: Damien Regad <>

Original commit message reworded, added CVE reference.
Affected Issues
mod - config_defaults_inc.php Diff File

MantisBT: master 5fb97960

2019-09-21 12:02:59


Details Diff
Escape GraphViz command before calling proc_open()

Fixes 0026091, CVE-2019-15715
Affected Issues
mod - core/graphviz_api.php Diff File