View Issue Details

IDProjectCategoryView StatusLast Update
0017997mantisbtsecuritypublic2015-01-27 04:49
Reporteralex91ar Assigned Todregad  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.18 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017997: CVE-2015-1042: URL redirection issue
Description

Hi!
I just downloaded the last version of mantis bugtracker (1.2.18) and discovered that the issue that I originally reported [EDIT dregad: in 0017811 (see 1st bullet in issue description), and follow-up in 0017648] is not completely fixed.

It seems that the regex on line 255 of file core/string.api.php does not contemplate the usage of a single slash on the parameter. Which can be interpreted by certain browsers (I was able to reproduce on Firefox 34.0 and chrome 39.0.2171.95 but not in Internet Explorer 11.0.9600.17420).

Thank you!
Best Regards
Alex.

Steps To Reproduce

On a server with http connection:
http://www.example.com/mantis-directory/login_page.php?return=https:/www.google.com

On a server with https connection:
https://www.example.com/mantis-directory/login_page.php?return=http:/www.google.com

Both will redirect to google.
For a more direct example:
https://www.mantisbt.org/bugs/login_page.php?return=http:/www.google.com

TagsNo tags attached.
Attached Files
0001-Fix-URL-redirection-issue-in-login_page.php.patch (1,144 bytes)   
From d95f070db852614fa18ccca6a4f12f4bffede1fd Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 10 Jan 2015 23:25:54 +0100
Subject: [PATCH] Fix URL redirection issue in login_page.php

The fix for issue #17648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes #17997 (CVE-2014-6316)
---
 core/string_api.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/core/string_api.php b/core/string_api.php
index c17c613..e9f3472 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -252,8 +252,7 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
 
 	# Check for URL's pointing to other domains
 	if ( 0 == $t_type || empty( $t_matches['script'] ) ||
-		3 == $t_type && preg_match( '@(?:[^:]*)?://@', $t_url ) > 0 ) {
-
+		3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
 		return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
 	}
 
-- 
2.1.0

Relationships

related to 0017648 closeddregad CVE-2014-6316: URL redirection issue 
has duplicate 0019275 closeddregad CVE-2015-1042: URL redirection issue 

Activities

dregad

dregad

2015-01-06 03:02

developer   ~0042105

Hi Alex,

Many thanks for re-testing and letting us know about this. I'll look into it and let you know when a fix is available.

alex91ar

alex91ar

2015-01-06 06:59

reporter   ~0042107

Hey, you guys got me my first two CVEs and a third shared one, it's the least I could do.
Best regards and a happy new year.
Alex.

dregad

dregad

2015-01-10 18:06

developer   ~0042129

Please review proposed patch.

I just emailed the OSS-security list [1] to check whether a new CVE ID was required or if I should issue the patch for this under CVE-2014-6316.

[1] http://article.gmane.org/gmane.comp.security.oss.general/15384

dregad

dregad

2015-01-12 06:24

developer   ~0042131

CVE-2015-1042 was assigned [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/15392

alex91ar

alex91ar

2015-01-12 08:13

reporter   ~0042133

Hi Damien,
The regex should work, I though encourage some testing just to be sure that we didn't break the functionality (no further security issues should be present), but I don't think that there will be any problems.

Thanks for the quick response!
Best regards,
Alex.

Related Changesets

MantisBT: master-1.2.x d95f070d

2015-01-10 12:25

dregad


Details Diff
Fix URL redirection issue in login_page.php

The fix for issue 0017648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes 0017997 (CVE-2014-6316)
Affected Issues
0017648, 0017997
mod - core/string_api.php Diff File

MantisBT: master e7e2b550

2015-01-10 12:25

dregad


Details Diff
Fix URL redirection issue in login_page.php

The fix for issue 0017648 failed to correct all cases of redirection.

Alejo Popovici discovered that the regex checking for URLs pointing to
other domains considered an URL with a single '/' as local, allowing
redirection e.g. to http:/google.com on certain browsers.

Fixes 0017997 (CVE-2015-1042)
Affected Issues
0017648, 0017997, 0019275
mod - core/string_api.php Diff File