CVE-2023-44394: 
PHP vulnerability analysis and mitigation

MantisBT, an open source bug tracker, was found to contain a vulnerability (CVE-2023-44394) that allows unauthorized users to reveal private Projects' names. The vulnerability exists due to insufficient access-level checks on the Wiki redirection page, where any user can access project names by accessing wiki.php with sequentially incremented IDs. This issue was discovered on September 30, 2023, and has been addressed in release 2.25.8 (Vendor Advisory).

The vulnerability stems from improper access control checks in the Wiki redirection functionality. When an integration between MantisBT and DokuWiki is active, users without project permissions can access the page /mantisbt/wiki.php?type=project&id= which triggers a 302 redirection to /dokuwiki/doku.php?id=mantis:. By incrementing the project ID parameter, which uses an auto-increment system, attackers can enumerate and discover project names. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (Vendor Advisory).

The vulnerability allows unauthorized users to discover and enumerate private project names, which could potentially expose sensitive information such as customer names of software suppliers. Through a simple brute force attack from 1 to 1000, it was possible to retrieve the entire list of projects/customers (MantisBT Issue).

The issue has been patched in MantisBT version 2.25.8 through commit 65c44883f. For users unable to upgrade immediately, a workaround is available by disabling wiki integration using the configuration setting $gwikienable = OFF (Vendor Advisory, GitHub Patch).