oss-sec mailing list archives
Re: CVE-2014-6316: URL redirection issue in MantisBT
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 10 Jan 2015 23:52:54 +0100
During follow-up tests he performed on the fix for CVE-2014-6316 (which was released in MantisBT 1.2.18), Alejo Popovici noticed [1] that the earlier fix was only partial.
With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to effect a cross-domain redirection using a redirect address having a single slash, e.g.
- http://example.com/mantis/login_page.php?return=https:/google.com or - https://example.com/mantis/login_page.php?return=http:/google.comThis is essentially the same vulnerability that was described in CVE-2014-6316, but due to a different root cause (for which a patch will be issued soon).
I would like to know if I should be using the same CVE ID, or if a new one needs to be issued.
Thanks in advance. Damien Regad MantisBT Developer [1] https://www.mantisbt.org/bugs/view.php?id=17997 On 2014-12-04 00:13, Damien Regad wrote:
Greetings, Please update CVE-2014-6316 with the information below Description: A bug in the URL sanitization routine allows an attacker to craft an URL that can redirect outside of the MantisBT instance's domain when the software is installed at the web server's root. e.g. http://example.com/login_page.php?return=http://google.com will redirect to Google. Affected versions: => 1.2.0a3, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [1] Credit: Redirection in login_page.php was first reported [3] by Mathias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [4]; issue was also independently discovered and reported by Ryan Giobbi who made the original CVE request [2], Shahee Mirza [5] and Alejo Popovici [6]. Paul Richards also found another redirection issue in permalink_page.php, which turned out to have the same root cause. The issue was fixed by Damien Regad (MantisBT Developer). References: Further details available in our issue tracker [2] [1] http://github.com/mantisbt/mantisbt/commit/e66ecc9f [2] https://www.mantisbt.org/bugs/view.php?id=17648 [3] https://www.mantisbt.org/bugs/view.php?id=17362 [4] http://www.offensive-security.com/bug-bounty-program/ [5] https://www.mantisbt.org/bugs/view.php?id=17698 [6] https://www.mantisbt.org/bugs/view.php?id=17811
Current thread:
- Re: CVE-2014-6316: URL redirection issue in MantisBT Damien Regad (Jan 10)
- Re: Re: CVE-2014-6316: URL redirection issue in MantisBT cve-assign (Jan 11)
- <Possible follow-ups>
- Re: CVE-2014-6316: URL redirection issue in MantisBT Damien Regad (Mar 14)