oss-sec mailing list archives
CVE-2015-1042: URL redirection issue in MantisBT
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 17 Jan 2015 00:44:08 +0100
Greetings, Please update CVE-2015-1042 with the information below Description:A bug in the URL sanitization routine allows an attacker to craft an URL that can redirect outside of the MantisBT instance's domain.
This is related to CVE-2014-6316 [1], and the same API function is affected by the same vulnerability, but the root cause is different.
Both examples below will redirect to Google: - On a server with http connection: http://www.example.com/mantis-directory/login_page.php?return=https:/www.google.com - On a server with https connection: https://www.example.com/mantis-directory/login_page.php?return=http:/www.google.com Affected versions: - >= 1.2.0a3, <= 1.2.18 - 1.3.0-beta.1 Fixed in versions: - 1.2.19 (not yet released) - 1.3.0-beta.2 (not yet released) Patch: See Github [2] Credit:The issue was discovered by Alejo Popovici [3] and fixed by Damien Regad (MantisBT Developer).
References: Further details available in our issue tracker [3] [1] http://article.gmane.org/gmane.comp.security.oss.general/15384 [2] http://github.com/mantisbt/mantisbt/commit/d95f070d (1.2.x) http://github.com/mantisbt/mantisbt/commit/e7e2b550 (1.3.x) [3] https://www.mantisbt.org/bugs/view.php?id=17997
Current thread:
- CVE-2015-1042: URL redirection issue in MantisBT Damien Regad (Jan 16)