View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017997 | mantisbt | security | public | 2015-01-05 14:55 | 2015-01-27 04:49 |
Reporter | alex91ar | Assigned To | dregad | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.18 | ||||
Target Version | 1.2.19 | Fixed in Version | 1.2.19 | ||
Summary | 0017997: CVE-2015-1042: URL redirection issue | ||||
Description | Hi! It seems that the regex on line 255 of file core/string.api.php does not contemplate the usage of a single slash on the parameter. Which can be interpreted by certain browsers (I was able to reproduce on Firefox 34.0 and chrome 39.0.2171.95 but not in Internet Explorer 11.0.9600.17420). Thank you! | ||||
Steps To Reproduce | On a server with http connection: On a server with https connection: Both will redirect to google. | ||||
Tags | No tags attached. | ||||
Attached Files | 0001-Fix-URL-redirection-issue-in-login_page.php.patch (1,144 bytes)
From d95f070db852614fa18ccca6a4f12f4bffede1fd Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Sat, 10 Jan 2015 23:25:54 +0100 Subject: [PATCH] Fix URL redirection issue in login_page.php The fix for issue #17648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes #17997 (CVE-2014-6316) --- core/string_api.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/core/string_api.php b/core/string_api.php index c17c613..e9f3472 100644 --- a/core/string_api.php +++ b/core/string_api.php @@ -252,8 +252,7 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) { # Check for URL's pointing to other domains if ( 0 == $t_type || empty( $t_matches['script'] ) || - 3 == $t_type && preg_match( '@(?:[^:]*)?://@', $t_url ) > 0 ) { - + 3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) { return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php'; } -- 2.1.0 | ||||
Hi Alex, Many thanks for re-testing and letting us know about this. I'll look into it and let you know when a fix is available. |
|
Hey, you guys got me my first two CVEs and a third shared one, it's the least I could do. |
|
Please review proposed patch. I just emailed the OSS-security list [1] to check whether a new CVE ID was required or if I should issue the patch for this under CVE-2014-6316. [1] http://article.gmane.org/gmane.comp.security.oss.general/15384 |
|
CVE-2015-1042 was assigned [1] [1] http://article.gmane.org/gmane.comp.security.oss.general/15392 |
|
Hi Damien, Thanks for the quick response! |
|
MantisBT: master-1.2.x d95f070d 2015-01-10 12:25 Details Diff |
Fix URL redirection issue in login_page.php The fix for issue 0017648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes 0017997 (CVE-2014-6316) |
Affected Issues 0017648, 0017997 |
|
mod - core/string_api.php | Diff File | ||
MantisBT: master e7e2b550 2015-01-10 12:25 Details Diff |
Fix URL redirection issue in login_page.php The fix for issue 0017648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes 0017997 (CVE-2015-1042) |
Affected Issues 0017648, 0017997, 0019275 |
|
mod - core/string_api.php | Diff File |