View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017648 | mantisbt | security | public | 2014-09-11 19:01 | 2015-02-22 06:41 |
Reporter | rgiobbi | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0a3 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017648: CVE-2014-6316: URL redirection issue | ||||
Description | Hello, The version of Mantis I was testing contains a URL redirection issue on the login page. This link | ||||
Steps To Reproduce | Full HTTP requests and responses are below http://192.168.82.128/login_page.php?return=http://www.google.com GET /login_page.php?return=http://www.google.com HTTP/1.1 HTTP/1.1 302 Found GET / HTTP/1.1 HTTP/1.1 302 Found | ||||
Additional Information | This is a low risk issue, but I'll get a CVE assigned | ||||
Tags | No tags attached. | ||||
has duplicate | 0017698 | closed | dregad | An Open Redirect Vulnerability discovered |
related to | 0017811 | closed | vboctor | CVE-2014-9117: CAPTCHA bypass |
related to | 0017997 | closed | dregad | CVE-2015-1042: URL redirection issue |
related to | 0019384 | closed | atrol | Multiple Cross-Site Scripting Vulnerabilities |
child of | 0017362 | closed | dregad | Multiple vulnerabilities in MantisBT |
Thanks for the bug report. I'm a bit surprised, because the issue is not reproducible on this tracker, and this part of the code has not changed since 1.2.9. As a side note, I strongly recommend you upgrade to the latest version (1.2.17 at the moment) We actually sanitize the return URL [1], to prevent just that scenario you describe. [1] https://github.com/mantisbt/mantisbt/blob/master-1.2.x/login_page.php#L33 Was the MantisBT source code modified in any way ? |
|
No problem, thanks for the quick reply. My apologies but I might have got the version # wrong. I grabbed it from here http://www.turnkeylinux.org/mantis. I didn't change the source. |
|
According to that link, they are using the latest debian wheezy package, which seems to be a patched 1.2.11 version [1]. That version does not redirect outside of MantisBT, therefore I can only assume that it's a problem specific to either the debian package (not maintained by us, and actually not maintained at all apparently [2]), TurnKeyLinux, or possibly your local setup. In any case, if you really want a CVE for this, you should first make sure that the issue is truly caused by MantisBT. As far as I can tell, it is not the case. Based on this, I'll resolve the issue as Unable to reproduce for now, feel free to reopen if you can demonstrate the contrary. As a side note, considering how simple it is to setup Mantis, I would strongly suggest that you ditch the outdated debian package, and install 1.2.17 manually. [1] https://packages.debian.org/source/wheezy/mantis. |
|
Thanks for looking into it. I have already contacted the mitre folks to get a CVE, but I understand that you only want to support code you wrote. Here is what it looks like I'll give the newest version of mantisdb a try |
|
Tonight I installed a VM with the TurnKeyLinux/Mantis image and I could reproduce the problem as follows:
It would appear that string_sanitize_url() does not work properly when Mantis is installed at the root, and returns the URL as-is instead of defaulting to index.php. So I take back what I said about this being a bug of TKL or the Debian package. Please let us know the CVE number when you get it. |
|
Hi, This is a duplicate report of an existing issue for which a CVE will be requested once a patch for the issue has been committed to master. Not sure what Mitre's policy is on this, but I believe the original reporter of the original issue should be the one credited for the vulnerability (with a reference to others finding it if necessary). |
|
Thanks. CVE-2014-6316 was assigned. Don't worry too much about the credit, mentioning me as a secondary is appreciated. |
|
I'm reopening this so that we can track resolution of the redirection issue individually (as the original 0017362 references other vulnerabilities) |
|
MantisBT: master-1.2.x 662bcd2e 2014-12-03 12:09 Details Diff |
Tests: revise StringTest.php - Add assertion to check string_sanitize_url() when $g_short_path = '/' This is a bit of a hack, but it gets the job done - Add test case for login page URL redirection issue 0017648 |
Affected Issues 0017648 |
|
mod - tests/Mantis/StringTest.php | Diff File | ||
MantisBT: master f148884f 2014-12-03 12:09 Details Diff |
Tests: revise StringTest.php - Add assertion to check string_sanitize_url() when $g_short_path = '/' This is a bit of a hack, but it gets the job done - Add test case for login page URL redirection issue 0017648 |
Affected Issues 0017648 |
|
mod - tests/Mantis/StringTest.php | Diff File | ||
MantisBT: master-1.2.x e66ecc9f 2014-12-03 12:18 Details Diff |
Fix URL redirection issue in login_page.php When Mantis is installed at the web server's root, $g_short_path is set to '/'. string_sanitize_url() removes the trailing '/' from the short path, which causes the URL to be incorrectly categorized as "type 2", thus allowing cross-site redirection to occur. By making checking that the short path is not empty before setting URL as type 2, we ensure that we categorize it as type 3, which then forces the function's return value to 'index.php' Fixes 0017648 (CVE-2014-6316) |
Affected Issues 0017648 |
|
mod - core/string_api.php | Diff File | ||
MantisBT: master 75f6bf97 2014-12-03 12:18 Details Diff |
Fix URL redirection issue in login_page.php When Mantis is installed at the web server's root, $g_short_path is set to '/'. string_sanitize_url() removes the trailing '/' from the short path, which causes the URL to be incorrectly categorized as "type 2", thus allowing cross-site redirection to occur. By making checking that the short path is not empty before setting URL as type 2, we ensure that we categorize it as type 3, which then forces the function's return value to 'index.php' Fixes 0017648 (CVE-2014-6316) |
Affected Issues 0017648 |
|
mod - core/string_api.php | Diff File | ||
MantisBT: master-1.2.x d95f070d 2015-01-10 12:25 Details Diff |
Fix URL redirection issue in login_page.php The fix for issue 0017648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes 0017997 (CVE-2014-6316) |
Affected Issues 0017648, 0017997 |
|
mod - core/string_api.php | Diff File | ||
MantisBT: master e7e2b550 2015-01-10 12:25 Details Diff |
Fix URL redirection issue in login_page.php The fix for issue 0017648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes 0017997 (CVE-2015-1042) |
Affected Issues 0017648, 0017997, 0019275 |
|
mod - core/string_api.php | Diff File |