CVE-2010-4349 in MantisBT
Summary
by MITRE
admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/21/2025
The vulnerability identified as CVE-2010-4349 affects MantisBT versions prior to 1.2.4 and represents a sensitive data exposure issue stemming from improper error handling within the administrative upgrade process. This flaw exists in the admin/upgrade_unattended.php file where an invalid db_type parameter triggers an error message that inadvertently exposes the system's installation path. The vulnerability demonstrates a classic information disclosure pattern where error messages contain system-specific details that should remain hidden from external attackers. The root cause lies in how MantisBT interacts with the ADOdb Library for PHP, specifically through an unsafe function call that does not properly sanitize or validate input parameters before processing. This type of vulnerability falls under CWE-200, which catalogs weaknesses related to improper information exposure, and represents a fundamental breakdown in the principle of least privilege where system internals are revealed to unauthorized users. The security implications extend beyond simple path disclosure as this information can serve as a foundation for further attacks targeting the specific system configuration.
The technical exploitation of this vulnerability requires an attacker to send a malformed db_type parameter to the upgrade_unattended.php endpoint, which triggers an error condition within the ADOdb library. The error message generated contains the absolute file path where MantisBT is installed, providing attackers with crucial system information that could aid in subsequent exploitation attempts. This vulnerability operates at the application layer and can be classified under the ATT&CK technique T1212, which involves exploitation of information disclosure vulnerabilities to gather system information. The unsafe call pattern in the ADOdb library demonstrates poor input validation practices where the system does not adequately verify parameter types before passing them to database abstraction functions. The vulnerability specifically targets the upgrade process, which is typically accessible to administrative users but can be exploited by any remote attacker who can reach the affected endpoint, making it particularly dangerous in publicly accessible environments. The error handling mechanism fails to implement proper sanitization of user-supplied inputs, allowing raw system paths to be rendered in error messages.
The operational impact of this vulnerability extends beyond immediate information disclosure, as it provides attackers with critical system information that can be leveraged for privilege escalation or targeted attacks against the specific MantisBT installation. An attacker who discovers the installation path can potentially use this information to map the system architecture, identify other potentially vulnerable components, or craft more sophisticated attacks against the application's file system. The exposure of the installation path may also reveal the operating system and file structure conventions used, which can aid in identifying other potential vulnerabilities within the system. This vulnerability significantly weakens the security posture of MantisBT installations and can be exploited as a reconnaissance tool to gather intelligence for more complex attack vectors. The impact is particularly severe because the upgrade process is often a target for attackers seeking to gain elevated privileges or access to system resources. Organizations running vulnerable versions of MantisBT face increased risk of successful compromise, especially when combined with other vulnerabilities or misconfigurations in the broader system environment.
The recommended mitigation strategy involves upgrading to MantisBT version 1.2.4 or later, which contains the necessary patches to address the improper error handling and unsafe function calls within the ADOdb integration. Organizations should also implement proper input validation and error handling mechanisms that prevent sensitive information from being exposed in error messages. Security practitioners should review the application's error handling code to ensure that all user-supplied inputs are properly sanitized and that error messages do not reveal system internals. Additional protective measures include implementing web application firewalls that can detect and block attempts to exploit this vulnerability, as well as monitoring for unusual access patterns to upgrade endpoints. The fix implemented in version 1.2.4 likely addresses the unsafe call by properly validating the db_type parameter before processing and by implementing more secure error handling that does not expose system paths. This vulnerability serves as a reminder of the importance of secure coding practices and proper error handling in web applications, particularly when integrating third-party libraries that may have their own security considerations. Organizations should conduct regular security assessments to identify similar information disclosure vulnerabilities in their applications and ensure that all system components follow security best practices. The vulnerability also highlights the need for comprehensive testing of error conditions and the importance of not exposing internal system details to external users, which aligns with the principle of defense in depth and helps maintain the overall security posture of web applications.