View Issue Details

IDProjectCategoryView StatusLast Update
0017997mantisbtsecuritypublic2015-01-27 04:49
Reporteralex91arAssigned Todregad 
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.18 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017997: CVE-2015-1042: URL redirection issue
Description

Hi!
I just downloaded the last version of mantis bugtracker (1.2.18) and discovered that the issue that I originally reported [EDIT dregad: in 0017811 (see 1st bullet in issue description), and follow-up in 0017648] is not completely fixed.

It seems that the regex on line 255 of file core/string.api.php does not contemplate the usage of a single slash on the parameter. Which can be interpreted by certain browsers (I was able to reproduce on Firefox 34.0 and chrome 39.0.2171.95 but not in Internet Explorer 11.0.9600.17420).

Thank you!
Best Regards
Alex.

Steps To Reproduce

On a server with http connection:
http://www.example.com/mantis-directory/login_page.php?return=https:/www.google.com

On a server with https connection:
https://www.example.com/mantis-directory/login_page.php?return=http:/www.google.com

Both will redirect to google.
For a more direct example:
https://www.mantisbt.org/bugs/login_page.php?return=http:/www.google.com

TagsNo tags attached.

Relationships

related to 0017648 closeddregad CVE-2014-6316: URL redirection issue 
has duplicate 0019275 closeddregad CVE-2015-1042: URL redirection issue 

Activities

dregad

dregad

2015-01-06 03:02

developer   ~0042105

Hi Alex,

Many thanks for re-testing and letting us know about this. I'll look into it and let you know when a fix is available.

alex91ar

alex91ar

2015-01-06 06:59

reporter   ~0042107

Hey, you guys got me my first two CVEs and a third shared one, it's the least I could do.
Best regards and a happy new year.
Alex.

dregad

dregad

2015-01-10 18:01

developer  

0001-Fix-URL-redirection-issue-in-login_page.php.patch (1,144 bytes)
From d95f070db852614fa18ccca6a4f12f4bffede1fd Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 10 Jan 2015 23:25:54 +0100
Subject: [PATCH] Fix URL redirection issue in login_page.php

The fix for issue #17648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes #17997 (CVE-2014-6316)
---
 core/string_api.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/core/string_api.php b/core/string_api.php
index c17c613..e9f3472 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -252,8 +252,7 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 
 	# Check for URL's pointing to other domains
 	if ( 0 == $t_type || empty( $t_matches['script'] ) ||
-		3 == $t_type && preg_match( '@(?:[^:]*)?://@', $t_url ) > 0 ) {
-
+		3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
 		return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
 	}
 
-- 
2.1.0

dregad

dregad

2015-01-10 18:06

developer   ~0042129

Please review proposed patch.

I just emailed the OSS-security list [1] to check whether a new CVE ID was required or if I should issue the patch for this under CVE-2014-6316.

[1] http://article.gmane.org/gmane.comp.security.oss.general/15384

dregad

dregad

2015-01-12 06:24

developer   ~0042131

CVE-2015-1042 was assigned [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/15392

alex91ar

alex91ar

2015-01-12 08:13

reporter   ~0042133

Hi Damien,
The regex should work, I though encourage some testing just to be sure that we didn't break the functionality (no further security issues should be present), but I don't think that there will be any problems.

Thanks for the quick response!
Best regards,
Alex.

Related Changesets

MantisBT: master-1.2.x d95f070d

2015-01-10 17:25:54

dregad

Details Diff
Fix URL redirection issue in login_page.php

The fix for issue 0017648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes 0017997 (CVE-2014-6316)
mod - core/string_api.php Diff File

MantisBT: master e7e2b550

2015-01-10 17:25:54

dregad

Details Diff
Fix URL redirection issue in login_page.php

The fix for issue 0017648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes 0017997 (CVE-2015-1042)
mod - core/string_api.php Diff File

Issue History

Date Modified Username Field Change
2015-01-05 14:55 alex91ar New Issue
2015-01-06 02:43 atrol Status new => confirmed
2015-01-06 02:43 atrol Relationship added related to 0017648
2015-01-06 03:02 dregad Assigned To => dregad
2015-01-06 03:02 dregad Status confirmed => assigned
2015-01-06 03:02 dregad Note Added: 0042105
2015-01-06 06:59 alex91ar Note Added: 0042107
2015-01-10 18:01 dregad File Added: 0001-Fix-URL-redirection-issue-in-login_page.php.patch
2015-01-10 18:06 dregad Note Added: 0042129
2015-01-10 18:16 dregad Target Version => 1.2.19
2015-01-12 06:21 dregad Summary CVE-2014-6316: URL redirection issue (Not fixed) => CVE-2015-1042: URL redirection issue
2015-01-12 06:21 dregad Description Updated View Revisions
2015-01-12 06:24 dregad Note Added: 0042131
2015-01-12 08:13 alex91ar Note Added: 0042133
2015-01-16 18:27 dregad Changeset attached => MantisBT master-1.2.x d95f070d
2015-01-16 18:27 dregad Status assigned => resolved
2015-01-16 18:27 dregad Resolution open => fixed
2015-01-16 18:27 dregad Fixed in Version => 1.2.19
2015-01-16 18:30 dregad Changeset attached => MantisBT master e7e2b550
2015-01-16 18:44 dregad View Status private => public
2015-01-25 18:17 dregadmin Status resolved => closed
2015-01-27 04:49 dregad Issue cloned: 0019275
2015-01-27 04:49 dregad Relationship added has duplicate 0019275