<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Class-Hoisting - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/class-hoisting/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 16:53:52 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/class-hoisting/feed.xml" rel="self" type="application/rss+xml"/><item><title>MantisBT Remote Code Execution via Class Hoisting (CVE-2026-49273)</title><link>https://feed.craftedsignal.io/briefs/2026-07-mantisbt-rce/</link><pubDate>Wed, 15 Jul 2026 16:53:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mantisbt-rce/</guid><description>A high-severity remote code execution vulnerability, CVE-2026-49273, affects MantisBT versions 2.28.3 and earlier, allowing an authenticated administrator to achieve arbitrary code execution as the web server user by leveraging PHP's class hoisting during the processing of non-string configuration values in `adm_config_set.php`.</description><content:encoded><![CDATA[<p>A critical remote code execution vulnerability, tracked as CVE-2026-49273, has been discovered in MantisBT versions 2.28.3 and earlier. This flaw exists within the &quot;Manage Configuration&quot; feature (accessible via <code>adm_config_set.php</code>) which is part of the administrative web UI. The vulnerability arises when an authenticated administrator attempts to set a configuration value of a non-string type (such as an integer or float). Although the application uses <code>eval()</code> with a <code>return;</code> prefix to prevent immediate code execution, PHP's compile-time behavior of hoisting class and function declarations bypasses this safeguard. An attacker can craft a malicious input that defines a class, which is then hoisted and can hijack a legitimate class loaded later by PHP's autoloader, leading to arbitrary code execution as the web server user. This vulnerability specifically requires administrator access to the web UI; the REST API and its <code>ConfigsSetCommand</code> are not affected.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker obtains valid administrator credentials for the MantisBT web UI, typically through phishing, credential stuffing, or other means.</li>
<li><strong>Access Configuration Interface</strong>: The attacker logs into the MantisBT web UI and navigates to the &quot;Manage Configuration&quot; page (<code>adm_config_set.php</code>).</li>
<li><strong>Craft Malicious Payload</strong>: The attacker prepares a PHP code payload that defines a malicious class, designed to exploit PHP's class hoisting mechanism.</li>
<li><strong>Inject Payload</strong>: The attacker submits a POST request to <code>adm_config_set.php</code>, setting a configuration value to the malicious PHP class definition, ensuring it is treated as a non-string type.</li>
<li><strong>Server-Side Processing</strong>: MantisBT's <code>ConfigParser -&gt; Tokenizer</code> component processes the input, calling <code>eval()</code> on the provided configuration value.</li>
<li><strong>Class Hoisting Bypass</strong>: Despite the <code>return;</code> prefix in the <code>eval()</code> call, PHP hoists the attacker-defined class at compile time.</li>
<li><strong>Class Hijacking and Execution</strong>: The hoisted malicious class can then hijack a legitimate class that MantisBT subsequently attempts to load via its autoloader. This allows the attacker to execute arbitrary PHP code as the underlying web server user (e.g., <code>www-data</code>).</li>
<li><strong>Post-Exploitation</strong>: The attacker gains full control over the MantisBT installation, potentially leading to data exfiltration, defacement, or further lateral movement within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-49273 results in remote code execution as the web server user, which typically has privileges to read, write, and execute files within the web root and associated directories. This could lead to a complete compromise of the MantisBT application, including unauthorized access to project data, user credentials, and sensitive bug reports. Attackers could also use this access as a foothold to compromise the underlying server or other systems within the network. While the vulnerability requires authenticated administrator access, the impact is severe due to the potential for full system compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-49273</strong>: Immediately update all MantisBT installations to version 2.28.4 or later by applying the patch from <code>https://github.com/mantisbt/mantisbt/commit/78c0af63d1fe0118004744cab21ca3bf2cea0f5c</code> to mitigate CVE-2026-49273.</li>
<li><strong>Monitor Web Server Logs</strong>: Deploy the provided Sigma rule to detect suspicious POST requests to <code>adm_config_set.php</code> containing PHP class or function definitions. Ensure web server logs capture <code>cs-uri-stem</code> and <code>cs-uri-query</code> for <code>webserver</code> log sources.</li>
<li><strong>Review Administrator Activity</strong>: Regularly audit logs for <code>adm_config_set.php</code> to identify unusual configuration changes, especially from unexpected IP addresses or at unusual times.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>remote-code-execution</category><category>web-application</category><category>php</category><category>class-hoisting</category><category>mantisbt</category><category>xss</category><category>web-vulnerability</category></item></channel></rss>