CVE-2002-1113 in Mantis
Summary
by MITRE
summary_graph_functions.php in Mantis 0.17.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the g_jpgraph_path parameter to reference the location of the PHP code.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/08/2025
The vulnerability identified as CVE-2002-1113 affects Mantis version 0.17.3 and earlier, specifically within the summary_graph_functions.php script. This represents a classic remote code execution flaw that arises from improper input validation and insecure parameter handling. The vulnerability occurs when an attacker manipulates the g_jpgraph_path parameter, which is designed to specify the location of the PHP code for graph generation functionality. The flaw stems from the application's failure to properly sanitize or validate user-supplied input before incorporating it into the execution path.
This vulnerability maps directly to CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and aligns with ATT&CK technique T1190, "Exploit Public-Facing Application." The security issue manifests because the application treats the g_jpgraph_path parameter as a trusted input source without adequate validation or sanitization. When an attacker supplies a malicious value to this parameter, the application incorporates this unvalidated input into the PHP execution context, allowing arbitrary PHP code to be executed on the server. The vulnerability exists at the intersection of input validation failure and code execution, creating a pathway for attackers to gain unauthorized control over the affected system.
The operational impact of this vulnerability is severe and multifaceted. An attacker who successfully exploits this flaw can execute arbitrary commands on the web server with the privileges of the web application user. This typically translates to full system compromise, data exfiltration, and potential lateral movement within the network. The vulnerability affects the confidentiality, integrity, and availability of the affected system, as attackers can modify or delete data, install backdoors, and potentially use the compromised system as a pivot point for attacking other systems. The remote nature of the attack means that exploitation can occur from anywhere on the internet without requiring local access to the system, making it particularly dangerous for publicly accessible web applications.
Mitigation strategies for CVE-2002-1113 must address both the immediate vulnerability and broader security practices. The most effective immediate fix involves upgrading to a patched version of Mantis, as this vulnerability was resolved in later releases through proper input validation and parameter sanitization. Organizations should also implement input validation mechanisms that reject or sanitize any user-supplied input before it is processed by the application. Additional protective measures include restricting file inclusion paths to predefined safe locations, implementing proper access controls, and conducting regular security assessments of web applications. Network-level protections such as web application firewalls can help detect and block exploitation attempts. The vulnerability highlights the critical importance of secure coding practices and input validation, particularly for parameters that influence file inclusion or code execution paths, as outlined in secure coding guidelines and security frameworks such as those recommended by the Open Web Application Security Project.