oss-sec mailing list archives
Re: CVE Request: graphite-web: open redirect
From: cve-assign () mitre org
Date: Wed, 17 Feb 2016 19:22:53 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://github.com/graphite-project/graphite-web/issues/1441 two OpenRedirects in /webapp/graphite/account/views.py Proof of Concept:
http://graphiteSite/account/logout?nextPage=https://www.google.com
Is there a response from the author of the code indicating that this is a vulnerability? Open redirects to http/https are not universally considered vulnerabilities for all vendors and products, e.g., https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect is probably the most well-known counterargument.
http://graphiteSite/account/update POST: nextPage=https://www.google.com
What is the threat model for this open redirect issue that requires a POST request? Often, an attacker's ability to make a client submit a POST request with an attacker-controlled parameter means that the client is executing JavaScript code from an attacker-controlled site, and in that case the JavaScript can send the browser to an arbitrary http/https URL without any realistic ability of the client user to predict that that might occur. Is there a way in which the existence of http://graphiteSite/account/update helps the attacker to accomplish the redirect?
Also, inside the logout and update functions, the session should be checked.
What vulnerability are you reporting here? Are /account/logout and /account/update vulnerable to CSRF? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWxQ5TAAoJEL54rhJi8gl56toP/RgPonDpkFFnaK3k2vIfRsMy nnQzTUpalPdY3EbOv8LAhNy66ayVnUrL8ksQWtv6Y/ISU9R48ChAZGOARsbD0YTH bN2Lnvzni5AO6NXdaNXeqyKyTKz04uB3UgTAnZRWJuLmGUXFKBD/9GZgaiykw2v3 lqPLExJdGYVncuSaKDzuh/Cqt6x6WDdL7zJK9XoqtqelrqCKCx3Evb7Zp2g6qAEd 0nnp/RyYl3X84ym2w1gxAl/O7yavHKlxT53dWB0thsy6t0DZC5STj9bYn5sgLGtj V6c2xpVO39FpCJpjJrc41f6jr3G8cq7AY93HIpJA33E2P1B8PLiaOjgjCUAYG8Q+ fO8EEWf4hpSGcwCHvWI+/RNdMNTW/IYlnqhTwmJ8tujHfb6tqw0eKqxCZEUL5pFV QHunbNM+UCMOZxqyGoiI/Hcvaj1iwjD1yUVHNyVkC5RjH3zvtU7lFm/ectUP5htx cws4bX47qlHCk0S6W+B4ea/6u4Ul8mlW/F2yxa/ZP3IINjCUuyB5CbFey3MLXcoL f5UYLEAgodYcVv4MuzYuccaEon/FVyL+i5jkZysMl/z6d7UnFAc8hdRMAdxw67wn 87naZl4uxLk74bBAkjMAiu4CT5TQ2+3d8USisYzI5c1UVLnzpTFYef7DipWQ5l1a ZpcBByiMZgHSvw7WyKU0 =14sK -----END PGP SIGNATURE-----
Current thread:
- CVE Request: graphite-web: open redirect Manuel Mancera (Feb 17)
- <Possible follow-ups>
- Re: CVE Request: graphite-web: open redirect Manuel Mancera (Feb 17)
- Re: CVE Request: graphite-web: open redirect cve-assign (Feb 17)
- Re: CVE Request: graphite-web: open redirect Manuel Mancera (Feb 18)
- Re: CVE Request: graphite-web: open redirect cve-assign (Feb 17)