VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 3, 2011· Updated Apr 29, 2026

CVE-2010-4349

CVE-2010-4349

Description

MantisBT before 1.2.4 exposes the installation path via an error message in admin/upgrade_unattended.php when an invalid db_type parameter is provided.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT before 1.2.4 exposes the installation path via an error message in admin/upgrade_unattended.php when an invalid db_type parameter is provided.

Vulnerability

The admin/upgrade_unattended.php script in MantisBT versions before 1.2.4 fails to properly handle an invalid db_type parameter. When an invalid value is passed, the script makes an unsafe call to a function in the ADOdb Library for PHP, resulting in a PHP error message that includes the full installation path. This path disclosure vulnerability affects all MantisBT installations prior to version 1.2.4 [1][2][4].

Exploitation

An attacker can trigger the vulnerability by sending a crafted HTTP request to the upgrade_unattended.php script with an invalid db_type parameter. No authentication is required, as the admin scripts are accessible without login in a default installation. The attacker simply needs to submit a request like admin/upgrade_unattended.php?db_type=invalid to generate an error message containing the server's filesystem path [1][2].

Impact

Successful exploitation allows a remote attacker to obtain the absolute filesystem path of the MantisBT installation. This information can aid in further attacks, such as local file inclusion or other exploits that require knowledge of the server's directory structure. The disclosure itself is limited to path information and does not directly lead to code execution or data compromise [1][3][4].

Mitigation

MantisBT version 1.2.4, released on 2010-12-14, fixes the issue by properly validating the db_type parameter and handling errors without revealing sensitive paths [2][4]. Users are strongly advised to upgrade to 1.2.4 or later. As a workaround, the admin directory should be deleted after installation, as recommended by the MantisBT project [2]. For users unable to upgrade, applying the patch from commit 2641fdc60d2032ae1586338d6416e1eadabd7590 resolves the issue on older versions [3][4].

References
  1. Zero Science Lab — Macedonian Information Security Research & Development Laboratory
  2. 0012607: LFI/FD and XSS in the 'upgrade_unattended.php'
  3. 663230 – (CVE-2010-4348, CVE-2010-4349, CVE-2010-4350) CVE-2010-4348 CVE-2010-4349 CVE-2010-4350 MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD)
  4. security - Re: CVE request: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

40
  • Mantisbt/Mantisbt40 versions
    cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*+ 39 more
    • cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*range: <=1.2.3
    • cpe:2.3:a:mantisbt:mantisbt:0.18.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:0.19.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0a1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0a2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0a3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.2.2:*:*:*:*:*:*:*
    • (no CPE)range: <1.2.4

Patches

3
d67c4debcacf

Fix #12607: LFI/PD/XSS in upgrade_unattended.php

https://github.com/mantisbt/mantisbtDavid HicksDec 14, 2010Fixed in release-1.2.4via llm-release-walk
commit
1 file changed · +15 5
  • admin/upgrade_unattended.php+15 5 modified
    @@ -32,6 +32,16 @@
 
 $g_failed = false;
 
+/* This script is probably meant to be executed from PHP CLI and hence should
+ * not be interpreted as text/html. However saying that, we do call gpc_
+ * functions that only make sense in PHP CGI mode. Given this mismatch we'll
+ * just assume for now that this script is meant to be used from PHP CGI and
+ * the output is meant to be text/plain. We also need to prevent Internet
+ * Explorer from ignoring our MIME type and using it's own MIME sniffing.
+ */
+header( 'Content-Type: text/plain;' );
+header( 'X-Content-Type-Options: nosniff' );
+
 /**
  * Print the result of an upgrade step.
  * 
@@ -88,15 +98,15 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
 $f_db_exists = gpc_get_bool( 'db_exists', false );
 
 # install the tables
-$c_db_type = string_attribute( $f_db_type );
-if ( !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $c_db_type . '.inc.php' ) ) {
-	echo "Invalid db type '$c_db_type'.";
+if ( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
+     !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $f_db_type . '.inc.php' ) ) {
+	echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
 	exit;
 }
 
-$GLOBALS['g_db_type'] = $c_db_type; # database_api references this
+$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
 require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' );
-$g_db = ADONewConnection( $c_db_type );
+$g_db = ADONewConnection( $f_db_type );
 
 echo "\nPost 1.0 schema changes\n";
 echo "Connecting to database... ";
1efe5be6c7a5

Fix #12607: LFI/FD and XSS in the upgrade_unattended.php - part 2

https://github.com/mantisbt/mantisbtVictor BoctorDec 14, 2010Fixed in release-1.2.4via llm-release-walk
commit
1 file changed · +1 1
  • admin/upgrade_unattended.php+1 1 modified
    @@ -89,7 +89,7 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
 
 # install the tables
 $c_db_type = string_attribute( $f_db_type );
-if ( !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $c_db_type . '.php' ) ) {
+if ( !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $c_db_type . '.inc.php' ) ) {
 	echo "Invalid db type '$c_db_type'.";
 	exit;
 }
c6295994a062

Fix #12607: LFI/FD and XSS in the upgrade_unattended.php

https://github.com/mantisbt/mantisbtVictor BoctorDec 14, 2010Fixed in release-1.2.4via llm-release-walk
commit
1 file changed · +8 2
  • admin/upgrade_unattended.php+8 2 modified
    @@ -88,9 +88,15 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
 $f_db_exists = gpc_get_bool( 'db_exists', false );
 
 # install the tables
-$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
+$c_db_type = string_attribute( $f_db_type );
+if ( !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $c_db_type . '.php' ) ) {
+	echo "Invalid db type '$c_db_type'.";
+	exit;
+}
+
+$GLOBALS['g_db_type'] = $c_db_type; # database_api references this
 require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' );
-$g_db = ADONewConnection( $f_db_type );
+$g_db = ADONewConnection( $c_db_type );
 
 echo "\nPost 1.0 schema changes\n";
 echo "Connecting to database... ";

Vulnerability mechanics

Root cause

"The admin/upgrade_unattended.php script did not properly validate the db_type parameter before using it in file path construction."

Attack vector

An unauthenticated remote attacker can send a crafted request to the `admin/upgrade_unattended.php` script with an invalid `db_type` parameter. This causes the script to attempt to include a non-existent ADOdb driver file. The failure to find the file results in an error message that reveals the full installation path of the MantisBT application [ref_id=4].

Affected code

The vulnerability exists in the `admin/upgrade_unattended.php` file. Specifically, the code responsible for checking the existence of ADOdb driver files and including them is affected. The original code directly uses the `db_type` parameter in a file path without sufficient sanitization [patch_id=4468708].

What the fix does

The patch modifies the `admin/upgrade_unattended.php` script to add input validation for the `db_type` parameter. It now uses a regular expression to ensure the `db_type` only contains alphanumeric characters and underscores, preventing directory traversal or other malicious inputs. This validation ensures that only legitimate ADOdb driver files can be referenced, thus closing the path disclosure vulnerability [patch_id=4468708].

Preconditions

  • networkThe MantisBT application must be accessible over the network.
  • inputThe attacker must be able to send a request with a manipulated `db_type` parameter.

Reproduction

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.