A report was submitted to the Mantis team this week describing a vulnerability in the PHPMailer class. This class is used by Mantis to send notification emails for issue updates.
The exploit takes advantage of a hole in how PHP implements the internal interface to the sendmail MTA. The setting for the sender address can be used to gain access to system resources. This exploit is described in http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 .
After reviewing the Mantis code, we determined that this vulnerability does not affect the operation of the tool. We read the sender address from configuration data. To use this exploit, someone would require administrator level access and/or direct access to the database. The probability of exploit is very low. A small patch will be added in the next release to prevent the problem completely.