<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Credential-Phishing - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/credential-phishing/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 16:43:47 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/credential-phishing/feed.xml" rel="self" type="application/rss+xml"/><item><title>MantisBT SQL Injection via history_order Configuration Value</title><link>https://feed.craftedsignal.io/briefs/2026-07-mantisbt-sql-injection/</link><pubDate>Wed, 15 Jul 2026 16:43:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mantisbt-sql-injection/</guid><description>MantisBT versions 2.28.3 and earlier are vulnerable to a SQL injection within the `history_order` configuration value in `core/history_api.php`, allowing an authenticated administrator to inject malicious SQL via the web UI or REST API, which then executes whenever any user views a bug with history entries, leading to sensitive data extraction and potential Remote Code Execution (RCE) via webshell if the MySQL FILE privilege is enabled.</description><content:encoded><![CDATA[<p>MantisBT versions 2.28.3 and earlier are affected by a high-severity SQL injection vulnerability, identified as CVE-2026-47142. This flaw exists in <code>core/history_api.php</code>, where the <code>history_order</code> configuration value is unsafely concatenated into a SQL <code>ORDER BY</code> clause without proper sanitization or parameterization. An authenticated administrator can exploit this by injecting malicious SQL when setting the <code>history_order</code> value via the web UI (<code>adm_config_set.php</code>) or the REST API (<code>PATCH /api/rest/config</code>). Once injected, the payload executes whenever any user views a bug that includes history entries. Successful exploitation can lead to sensitive data exfiltration from the bugtracker database, including user credentials and API tokens. If the underlying MySQL server has the <code>FILE</code> privilege enabled, this vulnerability can escalate to full Remote Code Execution (RCE) by writing a PHP webshell to the web root.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated administrator gains access to the MantisBT web UI or REST API.</li>
<li>The administrator navigates to the configuration settings or crafts a malicious REST API request to modify system parameters.</li>
<li>The administrator injects malicious SQL payload (e.g., for data exfiltration or <code>INTO OUTFILE</code> for webshell creation) into the <code>history_order</code> configuration value.</li>
<li>The MantisBT application stores this unsanitized malicious SQL string in its database as the <code>history_order</code> configuration value.</li>
<li>Any authenticated user subsequently views a bug within MantisBT that has history entries.</li>
<li>When displaying the bug history, the vulnerable <code>core/history_api.php</code> concatenates the stored malicious <code>history_order</code> value directly into a SQL <code>ORDER BY</code> clause.</li>
<li>The database executes the crafted SQL query, leading to actions such as sensitive data extraction (e.g., credentials, API tokens, private issue data) from the bugtracker database.</li>
<li>If the MySQL server has the <code>FILE</code> privilege, the injected SQL can write a PHP webshell to the web root, achieving Remote Code Execution for the attacker.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-47142 poses a critical risk to the confidentiality and integrity of MantisBT instances. Attackers can extract highly sensitive information, including all user credentials (e.g., <code>cookie_string</code>, password hashes), API tokens, and confidential issue data from the entire bugtracker database. Furthermore, if the underlying MySQL server is configured with the <code>FILE</code> privilege, the vulnerability can be leveraged to achieve full Remote Code Execution (RCE) on the server by writing a PHP webshell to the web root, giving attackers persistent access and control over the compromised system. While specific victim counts are not available, all MantisBT instances running versions 2.28.3 or earlier are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch MantisBT installations immediately to a version beyond 2.28.3, applying the fixes referenced in the GitHub advisory.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect attempts at injecting <code>INTO OUTFILE</code> via the <code>history_order</code> configuration.</li>
<li>Review web server access logs for requests to <code>adm_config_set.php</code> or <code>PATCH /api/rest/config</code> containing suspicious SQL keywords, especially <code>INTO OUTFILE</code> within parameters.</li>
<li>Restrict the MySQL <code>FILE</code> privilege to mitigate the impact of SQL injection leading to RCE if not strictly necessary for application functionality.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>sql-injection</category><category>web-application</category><category>vulnerability</category><category>rce</category><category>mantisbt</category><category>xss</category><category>web-vulnerability</category><category>credential-phishing</category></item></channel></rss>