oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-6316: URL redirection issue in MantisBT

From: Damien Regad <dregad () mantisbt org>
Date: Sat, 10 Jan 2015 23:52:54 +0100
During follow-up tests he performed on the fix for CVE-2014-6316 (which was released in MantisBT 1.2.18), Alejo Popovici noticed [1] that the earlier fix was only partial.
With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to effect a cross-domain redirection using a redirect address having a single slash, e.g. 

- http://example.com/mantis/login_page.php?return=https:/google.com or
- https://example.com/mantis/login_page.php?return=http:/google.com
This is essentially the same vulnerability that was described in CVE-2014-6316, but due to a different root cause (for which a patch will be issued soon).
I would like to know if I should be using the same CVE ID, or if a new one needs to be issued. 

Thanks in advance.

Damien Regad
MantisBT Developer


[1] https://www.mantisbt.org/bugs/view.php?id=17997

On 2014-12-04 00:13, Damien Regad wrote:

Greetings,

Please update CVE-2014-6316 with the information below


Description:

A bug in the URL sanitization routine allows an attacker to craft an URL
that can redirect outside of the MantisBT instance's domain when the
software is installed at the web server's root.

e.g. http://example.com/login_page.php?return=http://google.com will
redirect to Google.

Affected versions:
=> 1.2.0a3, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:

Redirection in login_page.php was first reported [3] by Mathias Karlsson
(http://mathiaskarlsson.me) as part of Offensive Security's bug bounty
program [4]; issue was also independently discovered and reported by
Ryan Giobbi who made the original CVE request [2], Shahee Mirza [5] and
Alejo Popovici [6].

Paul Richards also found another redirection issue in
permalink_page.php, which turned out to have the same root cause.

The issue was fixed by Damien Regad (MantisBT Developer).

References:
Further details available in our issue tracker [2]


[1] http://github.com/mantisbt/mantisbt/commit/e66ecc9f
[2] https://www.mantisbt.org/bugs/view.php?id=17648
[3] https://www.mantisbt.org/bugs/view.php?id=17362
[4] http://www.offensive-security.com/bug-bounty-program/
[5] https://www.mantisbt.org/bugs/view.php?id=17698
[6] https://www.mantisbt.org/bugs/view.php?id=17811
Previous By Date Next
Previous By Thread Next

Current thread: