Rapid7 Vulnerability & Exploit Database

MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability

Back to Search

MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability



This module exploits a post-auth vulnerability found in MantisBT versions 1.2.0a3 up to 1.2.17 when the Import/Export plugin is installed. The vulnerable code exists on plugins/XmlImportExport/ImportXml.php, which receives user input through the "description" field and the "issuelink" attribute of an uploaded XML file and passes to preg_replace() function with the /e modifier. This allows a remote authenticated attacker to execute arbitrary PHP code on the remote machine. This version also suffers from another issue. The import page is not checking the correct user level of the user, so it's possible to exploit this issue with any user including the anonymous one if enabled.


  • Egidio Romano
  • Juan Escobar <eng.jescobar@gmail.com>
  • Christian Mehlmauer <FireFart@gmail.com>






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/mantisbt_php_exec
msf exploit(mantisbt_php_exec) > show targets
msf exploit(mantisbt_php_exec) > set TARGET < target-id >
msf exploit(mantisbt_php_exec) > show options
    ...show and set options...
msf exploit(mantisbt_php_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security