Medium severity6.5NVD Advisory· Published May 21, 2017· Updated May 13, 2026

CVE-2017-7620

Description

MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mantisbt/mantisbtPackagist	< 1.3.11	1.3.11
mantisbt/mantisbtPackagist	>= 2.0.0, < 2.3.3	2.3.3
mantisbt/mantisbtPackagist	>= 2.4.0, < 2.4.1	2.4.1

Affected products

Mantisbt/Mantisbt11 versions
cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*range: <=1.3.10
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.4.0:*:*:*:*:*:*:*

Patches

8b6787c8d321

Fix CSRF vulnerability in permalink_page.php

https://github.com/mantisbt/mantisbtDamien RegadMay 19, 2017via ghsa

commit

4 files changed · +12 −2

core/filter_api.php+4 −1 modified

@@ -2451,8 +2451,11 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 							filter_print_view_type_toggle( $t_url, $t_filter['_view_type'] );
 
 							if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
+								# Add CSRF protection, see #22702
+								$t_permalink_url = urlencode( filter_get_url( $t_filter ) )
+									. form_security_param( 'permalink' );
 								echo '<li>';
-								echo '<a href="permalink_page.php?url=' . urlencode( filter_get_url( $t_filter ) ) . '">';
+								echo '<a href="permalink_page.php?url=' . $t_permalink_url . '">';
 								echo '<i class="ace-icon fa fa-link"></i>&#160;&#160;' . lang_get( 'create_filter_link' );
 								echo '</a>';
 								echo '</li>';

core/string_api.php+3 −1 modified

@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
+	# redirection to external sites
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params

permalink_page.php+4 −0 modified

@@ -36,13 +36,16 @@
 require_once( 'core.php' );
 require_api( 'access_api.php' );
 require_api( 'config_api.php' );
+require_api( 'form_api.php' );
 require_api( 'gpc_api.php' );
 require_api( 'html_api.php' );
 require_api( 'lang_api.php' );
 require_api( 'print_api.php' );
 require_api( 'string_api.php' );
 require_api( 'utility_api.php' );
 
+form_security_validate( 'permalink' );
+
 layout_page_header();
 
 layout_page_begin();
@@ -75,4 +78,5 @@
 ?>
 </div>
 <?php
+form_security_purge( 'permalink' );
 layout_page_end();

tests/Mantis/StringTest.php+1 −0 modified

@@ -82,6 +82,7 @@ public function provider() {
 			array( 'plugin.php?page=Source/list&id=1#abc', 'plugin.php?page=Source%2Flist&id=1#abc'),
 			array( 'login_page.php?return=http://google.com/', 'index.php'),
 			array( 'javascript:alert(1);', 'index.php'),
+			array( '\/csrf-22702', '%5C/csrf-22702' ),
 		);
 
 		# @FIXME

c4f50e5df6b1

Fix CSRF vulnerability in permalink_page.php

https://github.com/mantisbt/mantisbtDamien RegadMay 19, 2017via ghsa

commit

4 files changed · +12 −2

core/filter_api.php+3 −1 modified

@@ -3615,7 +3615,9 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 		if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
 			?>
 			<form method="get" action="permalink_page.php">
-				<?php # CSRF protection not required here - form does not result in modifications ?>
+                <?php # Add CSRF protection, see #22702
+                echo form_security_field( 'permalink' );
+                ?>
 				<input type="hidden" name="url" value="<?php echo urlencode( filter_get_url( $t_filter ) ) ?>" />
 				<input type="submit" name="reset_query_button" class="button-small" value="<?php echo lang_get( 'create_filter_link' ) ?>" />
 			</form>

core/string_api.php+3 −1 modified

@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
+	# redirection to external sites
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params

permalink_page.php+5 −0 modified

@@ -36,15 +36,19 @@
 require_once( 'core.php' );
 require_api( 'access_api.php' );
 require_api( 'config_api.php' );
+require_api( 'form_api.php' );
 require_api( 'gpc_api.php' );
 require_api( 'html_api.php' );
 require_api( 'lang_api.php' );
 require_api( 'print_api.php' );
 require_api( 'string_api.php' );
 require_api( 'utility_api.php' );
 
+form_security_validate( 'permalink' );
+
 html_page_top();
 
+
 access_ensure_project_level( config_get( 'create_permalink_threshold' ) );
 
 $f_url = string_sanitize_url( gpc_get_string( 'url' ) );
@@ -64,4 +68,5 @@
 ?>
 </div>
 <?php
+form_security_purge( 'permalink' );
 html_page_bottom();

tests/Mantis/StringTest.php+1 −0 modified

@@ -82,6 +82,7 @@ public function provider() {
 			array( 'plugin.php?page=Source/list&id=1#abc', 'plugin.php?page=Source%2Flist&id=1#abc'),
 			array( 'login_page.php?return=http://google.com/', 'index.php'),
 			array( 'javascript:alert(1);', 'index.php'),
+			array( '\/csrf-22702', '%5C/csrf-22702' ),
 		);
 
 		# @FIXME

2d2309a384bc

Fix CSRF vulnerability in permalink_page.php

https://github.com/mantisbt/mantisbtDamien RegadMay 19, 2017via ghsa

commit

4 files changed · +12 −2

core/filter_api.php+4 −1 modified

@@ -2451,8 +2451,11 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 							filter_print_view_type_toggle( $t_url, $t_filter['_view_type'] );
 
 							if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) {
+								# Add CSRF protection, see #22702
+								$t_permalink_url = urlencode( filter_get_url( $t_filter ) )
+									. form_security_param( 'permalink' );
 								echo '<li>';
-								echo '<a href="permalink_page.php?url=' . urlencode( filter_get_url( $t_filter ) ) . '">';
+								echo '<a href="permalink_page.php?url=' . $t_permalink_url . '">';
 								echo '<i class="ace-icon fa fa-link"></i>&#160;&#160;' . lang_get( 'create_filter_link' );
 								echo '</a>';
 								echo '</li>';

core/string_api.php+3 −1 modified

@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 	}
 
 	# Start extracting regex matches
-	$t_script = $t_matches['script'];
+	# Encode backslashes to prevent unwanted escaping of a leading '/' allowing
+	# redirection to external sites
+	$t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
 	$t_script_path = $t_matches['path'];
 
 	# Clean/encode query params

permalink_page.php+4 −0 modified

@@ -36,13 +36,16 @@
 require_once( 'core.php' );
 require_api( 'access_api.php' );
 require_api( 'config_api.php' );
+require_api( 'form_api.php' );
 require_api( 'gpc_api.php' );
 require_api( 'html_api.php' );
 require_api( 'lang_api.php' );
 require_api( 'print_api.php' );
 require_api( 'string_api.php' );
 require_api( 'utility_api.php' );
 
+form_security_validate( 'permalink' );
+
 layout_page_header();
 
 layout_page_begin();
@@ -75,4 +78,5 @@
 ?>
 </div>
 <?php
+form_security_purge( 'permalink' );
 layout_page_end();

tests/Mantis/StringTest.php+1 −0 modified

@@ -82,6 +82,7 @@ public function provider() {
 			array( 'plugin.php?page=Source/list&id=1#abc', 'plugin.php?page=Source%2Flist&id=1#abc'),
 			array( 'login_page.php?return=http://google.com/', 'index.php'),
 			array( 'javascript:alert(1);', 'index.php'),
+			array( '\/csrf-22702', '%5C/csrf-22702' ),
 		);
 
 		# @FIXME

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txtnvdExploitThird Party AdvisoryWEB
www.exploit-db.com/exploits/42043/nvdExploitThird Party Advisory
github.com/advisories/GHSA-9x76-mp7r-2xc5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-7620ghsaADVISORY
github.com/mantisbt/mantisbt/commit/2d2309a384bcd9d4b6d7d2928e8ded2c46d2d7b0ghsaWEB
github.com/mantisbt/mantisbt/commit/8b6787c8d321ee0ced5fb74ac3f34b67b4b7b26cghsaWEB
github.com/mantisbt/mantisbt/commit/c4f50e5df6b189abb1d717a5f7dbab5cbfef8165ghsaWEB
mantisbt.org/bugs/view.phpnvdIssue TrackingWEB
mantisbt.org/bugs/view.phpnvdIssue TrackingWEB
www.exploit-db.com/exploits/42043ghsaWEB
www.securitytracker.com/id/1038538nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000