0017648: CVE-2014-6316: URL redirection issue - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0017648	mantisbt	security	public	2014-09-11 19:01	2015-02-22 06:41

Reporter	rgiobbi	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.0a3
Target Version	1.2.18	Fixed in Version	1.2.18

Summary	0017648: CVE-2014-6316: URL redirection issue
Description	Hello, The version of Mantis I was testing contains a URL redirection issue on the login page. This link http://192.168.82.128/login_page.php?return=http://www.google.com will redirect the user to google.com
Steps To Reproduce	Full HTTP requests and responses are below http://192.168.82.128/login_page.php?return=http://www.google.com GET /login_page.php?return=http://www.google.com HTTP/1.1 Host: 192.168.82.128 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=ibf6a3ij9ufbjk0to50cq06eq4; MANTIS_secure_session=1; MANTIS_STRING_COOKIE=698de99b5a1d4544d86cdae102b0e54b3576e559c7d129b8b1e62ea1a3f8534c Connection: keep-alive HTTP/1.1 302 Found Date: Sun, 07 Sep 2014 11:06:48 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.4-14+deb7u5 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Sun, 07 Sep 2014 11:06:48 GMT X-Content-Type-Options: nosniff Expires: Sun, 07 Sep 2014 11:06:48 GMT X-Frame-Options: DENY X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none' Location: http://www.google.com Content-Encoding: gzip Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 http://www.google.com/ GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PREF=ID=0e541cf47b8f57f5:U=6a89fcd322034bde:FF=0:TM=1410476015:LM=1410476015:S=bC4cHqjYzSrzecNC; NID=67=EGd3hqlMdirhmt7t-joG_DgrmC_3aVQFnUUwDqm8rTk5qGL3w5VW_8qyAS4AxgyfYE6FDzjeyQhe8toWfoEE5ce9N04gZTTIh45VQ7OU-NE32jY9IxJZEnecgT1MfL0m Connection: keep-alive HTTP/1.1 302 Found Location: https://www.google.com/?gws_rd=ssl Cache-Control: private Content-Type: text/html; charset=UTF-8 Date: Thu, 11 Sep 2014 22:53:53 GMT Server: gws Content-Length: 231 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Alternate-Protocol: 80:quic,p=0.002
Additional Information	This is a low risk issue, but I'll get a CVE assigned
Tags	No tags attached.

dregad 2014-09-12 05:15 developer ~0041206	Thanks for the bug report. I'm a bit surprised, because the issue is not reproducible on this tracker, and this part of the code has not changed since 1.2.9. As a side note, I strongly recommend you upgrade to the latest version (1.2.17 at the moment) We actually sanitize the return URL [1], to prevent just that scenario you describe. [1] https://github.com/mantisbt/mantisbt/blob/master-1.2.x/login_page.php#L33 https://github.com/mantisbt/mantisbt/blob/master-1.2.x/core/string_api.php#L233 Was the MantisBT source code modified in any way ?

rgiobbi 2014-09-12 06:59 reporter ~0041209	No problem, thanks for the quick reply. My apologies but I might have got the version # wrong. I grabbed it from here http://www.turnkeylinux.org/mantis. I didn't change the source.

dregad 2014-09-12 10:48 developer ~0041212	According to that link, they are using the latest debian wheezy package, which seems to be a patched 1.2.11 version [1]. That version does not redirect outside of MantisBT, therefore I can only assume that it's a problem specific to either the debian package (not maintained by us, and actually not maintained at all apparently [2]), TurnKeyLinux, or possibly your local setup. In any case, if you really want a CVE for this, you should first make sure that the issue is truly caused by MantisBT. As far as I can tell, it is not the case. Based on this, I'll resolve the issue as Unable to reproduce for now, feel free to reopen if you can demonstrate the contrary. As a side note, considering how simple it is to setup Mantis, I would strongly suggest that you ditch the outdated debian package, and install 1.2.17 manually. [1] https://packages.debian.org/source/wheezy/mantis. [2] https://packages.qa.debian.org/m/mantis.html "This package is neither part of unstable nor experimental. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it into unstable."

rgiobbi 2014-09-14 21:13 reporter ~0041221	Thanks for looking into it. I have already contacted the mitre folks to get a CVE, but I understand that you only want to support code you wrote. Here is what it looks like https://drive.google.com/file/d/0B_IuCmL7vzZZcnBqWGdZTDg3STQ/edit?usp=sharing I'll give the newest version of mantisdb a try

dregad 2014-09-15 19:50 developer ~0041224	Tonight I installed a VM with the TurnKeyLinux/Mantis image and I could reproduce the problem as follows: login to Mantis go to http://192.168.1.128/login_page.php?return=http://www.google.com It would appear that string_sanitize_url() does not work properly when Mantis is installed at the root, and returns the URL as-is instead of defaulting to index.php. So I take back what I said about this being a bug of TKL or the Debian package. Please let us know the CVE number when you get it.

grangeway 2014-09-19 18:45 reporter ~0041257	Hi, This is a duplicate report of an existing issue for which a CVE will be requested once a patch for the issue has been committed to master. Not sure what Mitre's policy is on this, but I believe the original reporter of the original issue should be the one credited for the vulnerability (with a reference to others finding it if necessary).

rgiobbi 2014-09-19 19:11 reporter ~0041258	Thanks. CVE-2014-6316 was assigned. Don't worry too much about the credit, mentioning me as a secondary is appreciated.

dregad 2014-10-29 08:21 developer ~0041699	I'm reopening this so that we can track resolution of the redirection issue individually (as the original 0017362 references other vulnerabilities)

MantisBT: master-1.2.x 662bcd2e 2014-12-03 12:09 dregad Details Diff	Tests: revise StringTest.php - Add assertion to check string_sanitize_url() when $g_short_path = '/' This is a bit of a hack, but it gets the job done - Add test case for login page URL redirection issue 0017648		Affected Issues 0017648
	mod - tests/Mantis/StringTest.php		Diff File
MantisBT: master f148884f 2014-12-03 12:09 dregad Details Diff	Tests: revise StringTest.php - Add assertion to check string_sanitize_url() when $g_short_path = '/' This is a bit of a hack, but it gets the job done - Add test case for login page URL redirection issue 0017648		Affected Issues 0017648
	mod - tests/Mantis/StringTest.php		Diff File
MantisBT: master-1.2.x e66ecc9f 2014-12-03 12:18 dregad Details Diff	Fix URL redirection issue in login_page.php When Mantis is installed at the web server's root, $g_short_path is set to '/'. string_sanitize_url() removes the trailing '/' from the short path, which causes the URL to be incorrectly categorized as "type 2", thus allowing cross-site redirection to occur. By making checking that the short path is not empty before setting URL as type 2, we ensure that we categorize it as type 3, which then forces the function's return value to 'index.php' Fixes 0017648 (CVE-2014-6316)		Affected Issues 0017648
	mod - core/string_api.php		Diff File
MantisBT: master 75f6bf97 2014-12-03 12:18 dregad Details Diff	Fix URL redirection issue in login_page.php When Mantis is installed at the web server's root, $g_short_path is set to '/'. string_sanitize_url() removes the trailing '/' from the short path, which causes the URL to be incorrectly categorized as "type 2", thus allowing cross-site redirection to occur. By making checking that the short path is not empty before setting URL as type 2, we ensure that we categorize it as type 3, which then forces the function's return value to 'index.php' Fixes 0017648 (CVE-2014-6316)		Affected Issues 0017648
	mod - core/string_api.php		Diff File
MantisBT: master-1.2.x d95f070d 2015-01-10 12:25 dregad Details Diff	Fix URL redirection issue in login_page.php The fix for issue 0017648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes 0017997 (CVE-2014-6316)		Affected Issues 0017648, 0017997
	mod - core/string_api.php		Diff File
MantisBT: master e7e2b550 2015-01-10 12:25 dregad Details Diff	Fix URL redirection issue in login_page.php The fix for issue 0017648 failed to correct all cases of redirection. Alejo Popovici discovered that the regex checking for URLs pointing to other domains considered an URL with a single '/' as local, allowing redirection e.g. to http:/google.com on certain browsers. Fixes 0017997 (CVE-2015-1042)		Affected Issues 0017648, 0017997, 0019275
	mod - core/string_api.php		Diff File