View Issue Details

IDProjectCategoryView StatusLast Update
0022816mantisbtsecuritypublic2017-05-20 16:10
Reportermahmoud.gamal Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.11Fixed in Version1.3.11 
Summary0022816: CVE-2017-7620: Open redirection vulnerability in /login_page.php
Description

Hi,
This is Mahmoud Gamal from Seekurity (https://seekurity.com) ,
we use your bug tracker for our projects and while testing our system we have found an open redirection vulnerability at the login page.
Proof of concept: https://www.mantisbt.org/bugs/login_page.php?return=/\/evil.com
This will redirect to https://evil.com

Steps To Reproduce

While being authenticated, navigate to: https://www.mantisbt.org/bugs/login_page.php?return=/\/evil.com and you'll be redirected to https://evil.com/

TagsNo tags attached.

Relationships

related to 0022702 closeddregad CVE-2017-7620: CSRF - Arbitrary Permalink Injection 
parent of 0022906 closeddregad CVE-2017-7620: Open redirection vulnerability in /login_page.php 
parent of 0022907 closeddregad CVE-2017-7620: Open redirection vulnerability in /login_page.php 

Activities

dregad

dregad

2017-04-26 03:08

developer   ~0056717

Thanks for the bug report, we'll look into it.

Next time you discover a vulnerability, could you please mark the bug report as private to avoid unwanted public disclosure ? Thanks for your understanding.

dregad

dregad

2017-04-26 03:13

developer   ~0056718

I didn't check in detail, but I have a feeling this is possibly the same root cause as 0022702 (i.e. string_sanitize_url() not handling escaped /)

dregad

dregad

2017-04-26 03:18

developer   ~0056719

@mahmoud.gamal Did you request a CVE for this ? If so, please let us know the ID, otherwise I can take care of it, let us know how you'd like to be credited for the finding.

FYI your website was blocked by my company's Blue Coat proxy filter due to being categorized as Malicious Sources/MalnetsMalicious Sources/Malnets
http://sitereview.bluecoat.com/sitereview.jsp#/?search=seekurity.com

mahmoud.gamal

mahmoud.gamal

2017-04-26 23:58

reporter   ~0056724

Last edited: 2017-04-27 05:09

Hi @dregad,
I forgot to set the visibility to private, my bad.

I didn't request a CVE for this.
for the credit, you can use my name: Mahmoud Gamal with a link to seekurity.com

Thanks for telling me about the website being marked as malicious, this is definitely a mistake, I have contacted my manager and we got this corrected: http://sitereview.bluecoat.com/sitereview.jsp#/?search=seekurity.com

Regards.

EDIT (dregad): I deleted your duplicated note.

dregad

dregad

2017-05-07 06:26

developer   ~0056791

Confirming that the proposed fix for 0022702 (escaping \ in string_sanitize_url()) also addresses this issue.

dregad

dregad

2017-05-07 06:36

developer   ~0056792

I can confirm the vulnerability, affecting 1.3.0-beta.1 and later

dregad

dregad

2017-05-07 08:45

developer   ~0056793

@mahmoud.gamal please review the proposed patch below and let me know if that addresses the issue.

diff --git a/core/string_api.php b/core/string_api.php
index 4e3c238..fb2e65e 100644
--- a/core/string_api.php
+++ b/core/string_api.php
@@ -275,7 +275,9 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) {
    }

    # Start extracting regex matches
-   $t_script = $t_matches['script'];
+   # Encode backslashes to prevent unwanted escaping of a leading '/' allowing
+   # redirection to external sites
+   $t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) );
    $t_script_path = $t_matches['path'];

    # Clean/encode query params
mahmoud.gamal

mahmoud.gamal

2017-05-07 11:20

reporter   ~0056797

Hi @dregad,
I confirm that encoding backslashes addresses this issue.

dregad

dregad

2017-05-08 04:37

developer   ~0056803

Thanks for your confirmation.

Since the vulnerability you reported is addressed by the same patch as a similar issue in _permalinkpage.php (see 0022702), the same CVE ID (CVE-2017-7620) should be used for both issues, as per feedback from MITRE:

On 7 May 2017 at 17:18, <cve-request@mitre.org> wrote:

We have a confirmed, unpatched CSRF vulnerability in MantisBT
(CVE-2017-7620, reported by John Page aka hyp3rlinx / ApparitionSec
http://hyp3rlinx.altervista.org) affecting permalink_page.php, which
I'm currently working on fixing.

Another, similar vulnerability was reported which basically has the
same root cause but affects a different page (login_page.php).

Can you please let me know whether the 2nd issue should be logged
under the same CVE ID, or if I should be requesting another one ?

There should be another CVE ID only if the two vulnerabilities are
independently fixable.

Related Changesets

MantisBT: master f6644090

2017-05-13 14:47

dregad


Details Diff
Encode '\' in string_sanitize_url()

As an extra safety measure following up on the fix for CVE-2017-7620, we
encode the backslashes in the 'script' part of the URL to ensure that
the sanitized URL is treated as a path relative to MantisBT root and not
a link to an external site if the URL begins with an escaped `/`.

This reduces the risk of someone being able to use the same attack
vector in another page.

Fixes 0022702, 0022816
Affected Issues
0022702, 0022816
mod - core/string_api.php Diff File

MantisBT: master-1.3.x c4f50e5d

2017-05-19 07:48

dregad


Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection (code changed from
original commit) 0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
Affected Issues
0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

MantisBT: master-2.3 8b6787c8

2017-05-19 07:48

dregad


Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection
0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
Affected Issues
0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

MantisBT: master-2.4 2d2309a3

2017-05-19 07:48

dregad


Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection
0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
Affected Issues
0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File