View Issue Details

IDProjectCategoryView StatusLast Update
0019275mantisbtsecuritypublic2015-03-15 19:58
ReporterdregadAssigned Todregad 
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-beta.2Fixed in Version1.3.0-beta.2 
Summary0019275: CVE-2015-1042: URL redirection issue
Description

This is a clone of 0017997 to track the vulnerability in 1.3.x branch

TagsNo tags attached.

Relationships

duplicate of 0017997 closeddregad CVE-2015-1042: URL redirection issue 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master e7e2b550

2015-01-10 17:25:54

dregad

Details Diff
Fix URL redirection issue in login_page.php

The fix for issue 0017648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes 0017997 (CVE-2015-1042)
mod - core/string_api.php Diff File

Issue History

Date Modified Username Field Change
2015-01-27 04:49 dregad New Issue
2015-01-27 04:49 dregad Status new => assigned
2015-01-27 04:49 dregad Assigned To => dregad
2015-01-27 04:49 dregad Issue generated from: 0017997
2015-01-27 04:49 dregad Relationship added duplicate of 0017997
2015-01-27 04:52 dregad Status assigned => resolved
2015-01-27 04:52 dregad Fixed in Version => 1.3.0-beta.2
2015-01-27 04:52 dregad Resolution open => fixed
2015-01-27 04:56 dregad Changeset attached => MantisBT master e7e2b550
2015-03-15 19:58 dregad Status resolved => closed