CVE-2002-1114 in Mantis
Summary
by MITRE
config_inc2.php in Mantis before 0.17.4 allows remote attackers to execute arbitrary code or read arbitrary files via the parameters (1) g_bottom_include_page, (2) g_top_include_page, (3) g_css_include_file, (4) g_meta_include_file, or (5) a cookie.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/08/2025
The vulnerability described in CVE-2002-1114 affects Mantis bug tracking software versions prior to 0.17.4 and represents a critical remote code execution flaw stemming from improper input validation in the config_inc2.php configuration file. This vulnerability exposes multiple parameters that can be manipulated by remote attackers to achieve unauthorized code execution or file disclosure. The affected parameters include g_bottom_include_page, g_top_include_page, g_css_include_file, g_meta_include_file, and cookie values, all of which are processed without adequate sanitization or validation. The flaw allows attackers to inject malicious code or specify arbitrary file paths that can be included or executed within the application context, potentially leading to complete system compromise.
The technical nature of this vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and CWE-22, which addresses "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The vulnerability operates through a classic code injection vector where user-controllable input is directly incorporated into include statements without proper validation. When the application processes these parameters, it executes the specified code or includes the targeted files, creating an opportunity for attackers to execute arbitrary commands on the server or retrieve sensitive information from the file system. The cookie parameter adds an additional attack surface since cookies are typically used to maintain session state and can be manipulated to inject malicious content that gets processed during application execution.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the capability to escalate privileges and access sensitive system resources. Attackers can leverage this vulnerability to read configuration files, database credentials, or other sensitive information stored on the server. The vulnerability affects the core functionality of the Mantis application by allowing unauthorized access to the underlying system, potentially enabling attackers to establish persistent access, modify application behavior, or exfiltrate data. The remote nature of the exploit means that attackers do not require physical access to the system, making it particularly dangerous for internet-facing applications. Organizations using vulnerable versions of Mantis face significant risk of data breaches, system compromise, and potential regulatory compliance violations.
Mitigation strategies for this vulnerability include immediate patching of the Mantis application to version 0.17.4 or later, which addresses the input validation issues in the config_inc2.php file. Administrators should implement proper input sanitization and validation for all user-controllable parameters, particularly those related to file inclusion operations. The implementation of a web application firewall can provide additional protection by filtering malicious requests before they reach the vulnerable application. Network segmentation and access controls should be enforced to limit exposure of the application to untrusted networks. Security monitoring should be enhanced to detect anomalous patterns in file access requests or cookie manipulation attempts. Additionally, organizations should conduct regular security assessments and vulnerability scans to identify similar issues in other applications and ensure that proper security practices are followed in application development. The vulnerability highlights the importance of input validation and secure coding practices, particularly when dealing with dynamic file inclusion operations, as specified in the OWASP Top Ten and MITRE ATT&CK framework's techniques for code injection and privilege escalation.