View Issue Details

IDProjectCategoryView StatusLast Update
0017648mantisbtsecuritypublic2015-02-22 06:41
Reporterrgiobbi Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0a3 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017648: CVE-2014-6316: URL redirection issue
Description

Hello,

The version of Mantis I was testing contains a URL redirection issue on the login page.

This link
http://192.168.82.128/login_page.php?return=http://www.google.com
will redirect the user to google.com

Steps To Reproduce

Full HTTP requests and responses are below

http://192.168.82.128/login_page.php?return=http://www.google.com

GET /login_page.php?return=http://www.google.com HTTP/1.1
Host: 192.168.82.128
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=ibf6a3ij9ufbjk0to50cq06eq4; MANTIS_secure_session=1; MANTIS_STRING_COOKIE=698de99b5a1d4544d86cdae102b0e54b3576e559c7d129b8b1e62ea1a3f8534c
Connection: keep-alive

HTTP/1.1 302 Found
Date: Sun, 07 Sep 2014 11:06:48 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u5
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sun, 07 Sep 2014 11:06:48 GMT
X-Content-Type-Options: nosniff
Expires: Sun, 07 Sep 2014 11:06:48 GMT
X-Frame-Options: DENY
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none'
Location: http://www.google.com
Content-Encoding: gzip
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

http://www.google.com/

GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PREF=ID=0e541cf47b8f57f5:U=6a89fcd322034bde:FF=0:TM=1410476015:LM=1410476015:S=bC4cHqjYzSrzecNC; NID=67=EGd3hqlMdirhmt7t-joG_DgrmC_3aVQFnUUwDqm8rTk5qGL3w5VW_8qyAS4AxgyfYE6FDzjeyQhe8toWfoEE5ce9N04gZTTIh45VQ7OU-NE32jY9IxJZEnecgT1MfL0m
Connection: keep-alive

HTTP/1.1 302 Found
Location: https://www.google.com/?gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Thu, 11 Sep 2014 22:53:53 GMT
Server: gws
Content-Length: 231
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.002

Additional Information

This is a low risk issue, but I'll get a CVE assigned

TagsNo tags attached.

Relationships

has duplicate 0017698 closeddregad An Open Redirect Vulnerability discovered 
related to 0017811 closedvboctor CVE-2014-9117: CAPTCHA bypass 
related to 0017997 closeddregad CVE-2015-1042: URL redirection issue 
related to 0019384 closedatrol Multiple Cross-Site Scripting Vulnerabilities 
child of 0017362 closeddregad Multiple vulnerabilities in MantisBT 

Activities

dregad

dregad

2014-09-12 05:15

developer   ~0041206

Thanks for the bug report.

I'm a bit surprised, because the issue is not reproducible on this tracker, and this part of the code has not changed since 1.2.9. As a side note, I strongly recommend you upgrade to the latest version (1.2.17 at the moment)

We actually sanitize the return URL [1], to prevent just that scenario you describe.

[1] https://github.com/mantisbt/mantisbt/blob/master-1.2.x/login_page.php#L33
https://github.com/mantisbt/mantisbt/blob/master-1.2.x/core/string_api.php#L233

Was the MantisBT source code modified in any way ?

rgiobbi

rgiobbi

2014-09-12 06:59

reporter   ~0041209

No problem, thanks for the quick reply. My apologies but I might have got the version # wrong. I grabbed it from here http://www.turnkeylinux.org/mantis. I didn't change the source.

dregad

dregad

2014-09-12 10:48

developer   ~0041212

According to that link, they are using the latest debian wheezy package, which seems to be a patched 1.2.11 version [1].

That version does not redirect outside of MantisBT, therefore I can only assume that it's a problem specific to either the debian package (not maintained by us, and actually not maintained at all apparently [2]), TurnKeyLinux, or possibly your local setup.

In any case, if you really want a CVE for this, you should first make sure that the issue is truly caused by MantisBT. As far as I can tell, it is not the case.

Based on this, I'll resolve the issue as Unable to reproduce for now, feel free to reopen if you can demonstrate the contrary.

As a side note, considering how simple it is to setup Mantis, I would strongly suggest that you ditch the outdated debian package, and install 1.2.17 manually.

[1] https://packages.debian.org/source/wheezy/mantis.
[2] https://packages.qa.debian.org/m/mantis.html "This package is neither part of unstable nor experimental. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it into unstable."

rgiobbi

rgiobbi

2014-09-14 21:13

reporter   ~0041221

Thanks for looking into it. I have already contacted the mitre folks to get a CVE, but I understand that you only want to support code you wrote.

Here is what it looks like
https://drive.google.com/file/d/0B_IuCmL7vzZZcnBqWGdZTDg3STQ/edit?usp=sharing

I'll give the newest version of mantisdb a try

dregad

dregad

2014-09-15 19:50

developer   ~0041224

Tonight I installed a VM with the TurnKeyLinux/Mantis image and I could reproduce the problem as follows:

  1. login to Mantis
  2. go to http://192.168.1.128/login_page.php?return=http://www.google.com

It would appear that string_sanitize_url() does not work properly when Mantis is installed at the root, and returns the URL as-is instead of defaulting to index.php.

So I take back what I said about this being a bug of TKL or the Debian package.

Please let us know the CVE number when you get it.

grangeway

grangeway

2014-09-19 18:45

reporter   ~0041257

Hi,

This is a duplicate report of an existing issue for which a CVE will be requested once a patch for the issue has been committed to master.

Not sure what Mitre's policy is on this, but I believe the original reporter of the original issue should be the one credited for the vulnerability (with a reference to others finding it if necessary).

rgiobbi

rgiobbi

2014-09-19 19:11

reporter   ~0041258

Thanks. CVE-2014-6316 was assigned. Don't worry too much about the credit, mentioning me as a secondary is appreciated.

dregad

dregad

2014-10-29 08:21

developer   ~0041699

I'm reopening this so that we can track resolution of the redirection issue individually (as the original 0017362 references other vulnerabilities)

Related Changesets

MantisBT: master-1.2.x 662bcd2e

2014-12-03 17:09:35

dregad

Details Diff
Tests: revise StringTest.php

- Add assertion to check string_sanitize_url() when $g_short_path = '/'
This is a bit of a hack, but it gets the job done
- Add test case for login page URL redirection issue 0017648
Affected Issues
0017648
mod - tests/Mantis/StringTest.php Diff File

MantisBT: master f148884f

2014-12-03 17:09:35

dregad

Details Diff
Tests: revise StringTest.php

- Add assertion to check string_sanitize_url() when $g_short_path = '/'
This is a bit of a hack, but it gets the job done
- Add test case for login page URL redirection issue 0017648
Affected Issues
0017648
mod - tests/Mantis/StringTest.php Diff File

MantisBT: master-1.2.x e66ecc9f

2014-12-03 17:18:17

dregad

Details Diff
Fix URL redirection issue in login_page.php

When Mantis is installed at the web server's root, $g_short_path is set
to '/'. string_sanitize_url() removes the trailing '/' from the short
path, which causes the URL to be incorrectly categorized as "type 2",
thus allowing cross-site redirection to occur.

By making checking that the short path is not empty before setting URL
as type 2, we ensure that we categorize it as type 3, which then forces
the function's return value to 'index.php'

Fixes 0017648 (CVE-2014-6316)
Affected Issues
0017648
mod - core/string_api.php Diff File

MantisBT: master 75f6bf97

2014-12-03 17:18:17

dregad

Details Diff
Fix URL redirection issue in login_page.php

When Mantis is installed at the web server's root, $g_short_path is set
to '/'. string_sanitize_url() removes the trailing '/' from the short
path, which causes the URL to be incorrectly categorized as "type 2",
thus allowing cross-site redirection to occur.

By making checking that the short path is not empty before setting URL
as type 2, we ensure that we categorize it as type 3, which then forces
the function's return value to 'index.php'

Fixes 0017648 (CVE-2014-6316)
Affected Issues
0017648
mod - core/string_api.php Diff File

MantisBT: master-1.2.x d95f070d

2015-01-10 17:25:54

dregad

Details Diff
Fix URL redirection issue in login_page.php

The fix for issue 0017648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes 0017997 (CVE-2014-6316)
Affected Issues
0017648, 0017997
mod - core/string_api.php Diff File

MantisBT: master e7e2b550

2015-01-10 17:25:54

dregad

Details Diff
Fix URL redirection issue in login_page.php

The fix for issue 0017648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes 0017997 (CVE-2015-1042)
Affected Issues
0017648, 0017997, 0019275
mod - core/string_api.php Diff File

Issue History

Date Modified Username Field Change
2014-09-11 19:01 rgiobbi New Issue
2014-09-12 05:15 dregad Note Added: 0041206
2014-09-12 05:15 dregad Status new => feedback
2014-09-12 06:59 rgiobbi Note Added: 0041209
2014-09-12 06:59 rgiobbi Status feedback => new
2014-09-12 10:48 dregad Note Added: 0041212
2014-09-12 10:48 dregad Status new => resolved
2014-09-12 10:48 dregad Resolution open => unable to reproduce
2014-09-12 10:48 dregad Assigned To => dregad
2014-09-14 21:13 rgiobbi Note Added: 0041221
2014-09-15 19:50 dregad Note Added: 0041224
2014-09-15 19:50 dregad Status resolved => confirmed
2014-09-15 19:50 dregad Resolution unable to reproduce => reopened
2014-09-19 18:45 grangeway Note Added: 0041257
2014-09-19 18:45 grangeway Relationship added duplicate of 0017362
2014-09-19 18:45 grangeway Status confirmed => resolved
2014-09-19 18:45 grangeway Resolution reopened => duplicate
2014-09-19 18:45 grangeway Assigned To dregad => grangeway
2014-09-19 19:11 rgiobbi Note Added: 0041258
2014-09-23 04:28 atrol Relationship added duplicate of 0017698
2014-10-02 18:21 atrol Status resolved => closed
2014-10-29 08:21 dregad Note Added: 0041699
2014-10-29 08:21 dregad Assigned To grangeway =>
2014-10-29 08:21 dregad Status closed => confirmed
2014-10-29 08:21 dregad Resolution duplicate => reopened
2014-10-29 08:21 dregad Target Version => 1.2.18
2014-10-29 08:21 dregad Summary URL redirection issue => CVE-2014-6316: URL redirection issue
2014-10-29 08:21 dregad Relationship replaced child of 0017362
2014-10-29 08:22 dregad Relationship replaced has duplicate 0017698
2014-10-29 08:54 dregad Relationship added has duplicate 0017811
2014-11-26 11:54 dregad Relationship replaced related to 0017811
2014-12-03 17:47 dregad Assigned To => dregad
2014-12-03 17:47 dregad Status confirmed => assigned
2014-12-03 17:47 dregad Product Version 1.2.9 => 1.2.0a3
2014-12-03 18:10 dregad Changeset attached => MantisBT master-1.2.x 662bcd2e
2014-12-03 18:10 dregad Changeset attached => MantisBT master-1.2.x e66ecc9f
2014-12-03 18:10 dregad Status assigned => resolved
2014-12-03 18:10 dregad Fixed in Version => 1.2.18
2014-12-03 18:10 dregad Changeset attached => MantisBT master f148884f
2014-12-03 18:10 dregad Changeset attached => MantisBT master 75f6bf97
2014-12-03 18:11 dregad Resolution reopened => fixed
2014-12-03 18:11 dregad View Status private => public
2014-12-05 18:33 dregadmin Status resolved => closed
2015-01-06 02:43 atrol Relationship added related to 0017997
2015-01-16 18:27 dregad Changeset attached => MantisBT master-1.2.x d95f070d
2015-01-16 18:30 dregad Changeset attached => MantisBT master e7e2b550
2015-02-22 06:41 atrol Relationship added related to 0019384