CVE-2024-23830: 
PHP vulnerability analysis and mitigation

MantisBT, an open source issue tracker, was found to contain a host header injection vulnerability (CVE-2024-23830) affecting versions prior to 2.26.1. The vulnerability was discovered in February 2024 and allows an unauthenticated attacker who knows a user's email address and username to hijack the user's account by poisoning the link in the password reset notification message (GitHub Advisory).

The vulnerability stems from MantisBT's default mechanism to determine the server path using client-provided HTTP headers. When $g_path is not explicitly defined in config_inc.php, the system builds the path based on headers from the HTTP request, making it susceptible to Host Header injection attacks. An attacker can manipulate the Host header during a password reset request to point to a malicious domain, causing the reset link in the email notification to direct users to the attacker's server. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L (NVD).

If successfully exploited, this vulnerability allows attackers to hijack user accounts by intercepting password reset verification hashes when victims click on manipulated password reset links. This could lead to unauthorized access to user accounts and potential exposure of sensitive information (GitHub Advisory).

The vulnerability has been patched in MantisBT version 2.26.1. As a workaround for affected versions, administrators should define $g_path explicitly in config_inc.php. The patch includes improvements to the installation process where administrators can set $g_path during installation, with a default value provided based on the installation URL (GitHub Advisory).