oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2015-1042: URL redirection issue in MantisBT

From: Damien Regad <dregad () mantisbt org>
Date: Sat, 17 Jan 2015 00:44:08 +0100
Greetings,

Please update CVE-2015-1042 with the information below


Description:
A bug in the URL sanitization routine allows an attacker to craft an URL that can redirect outside of the MantisBT instance's domain.
This is related to CVE-2014-6316 [1], and the same API function is affected by the same vulnerability, but the root cause is different. 

Both examples below will redirect to Google:
- On a server with http connection:
http://www.example.com/mantis-directory/login_page.php?return=https:/www.google.com
- On a server with https connection:
https://www.example.com/mantis-directory/login_page.php?return=http:/www.google.com


Affected versions:
- >= 1.2.0a3, <= 1.2.18
- 1.3.0-beta.1

Fixed in versions:
- 1.2.19 (not yet released)
- 1.3.0-beta.2 (not yet released)

Patch:
See Github [2]

Credit:
The issue was discovered by Alejo Popovici [3] and fixed by Damien Regad (MantisBT Developer). 

References:
Further details available in our issue tracker [3]


[1] http://article.gmane.org/gmane.comp.security.oss.general/15384
[2] http://github.com/mantisbt/mantisbt/commit/d95f070d (1.2.x)
    http://github.com/mantisbt/mantisbt/commit/e7e2b550 (1.3.x)
[3] https://www.mantisbt.org/bugs/view.php?id=17997
Previous By Date Next
Previous By Thread Next

Current thread: