Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Advisory: Unfuddle.com - Open Redirection

From: LIAD Mizrachi <liadmz () gmail com>
Date: Fri, 16 Aug 2013 17:16:57 +0300
Advisory: Unfuddle.com - Open Redirection
Author: Liad Mizrachi
Vendor URL: http://unfuddle.com
Status: Fixed



==========================
Vulnerability Description
==========================

Unfuddle offers secure, hosted software project management environment.
When unauthenticated user tries to access a resource on he’s site directly,
he will be redirected to a login page with the reference parameter set to
the resource location.

For Example:
Accessing: https://userSub.unfuddle.com/a%23/projects/1/<https://usersub.unfuddle.com/a%23/projects/1/>
Will redirects to user to:
https://userSub.unfuddle.com/a#/session/new?reference=https%3A//mom3nt0.unfuddle.com/a%23/projects/1/<https://usersub.unfuddle.com/a#/session/new?reference=https%3A//mom3nt0.unfuddle.com/a%23/projects/1/>

The redirection is not strictly to internal resources, but can also be used
to redirect users to external site
https://userSub.unfuddle.com/a#/session/new?reference=http://evil.com/<https://usersub.unfuddle.com/a#/session/new?reference=http://evil.com/>
will redirect the user to http://evil.com after entering the correct
credentials in the login page.



==========================
Solution
==========================

Fixed by vendor


==========================
Disclosure Timeline
==========================

14-July-2013 - vendor informed
16-June-2013 - fixed


==========================
References
==========================

http://unfuddle.com
https://vimeo.com/72202542

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: