View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022816 | mantisbt | security | public | 2017-04-26 02:53 | 2017-05-20 16:10 |
Reporter | mahmoud.gamal | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0-beta.1 | ||||
Target Version | 1.3.11 | Fixed in Version | 1.3.11 | ||
Summary | 0022816: CVE-2017-7620: Open redirection vulnerability in /login_page.php | ||||
Description | Hi, | ||||
Steps To Reproduce | While being authenticated, navigate to: https://www.mantisbt.org/bugs/login_page.php?return=/\/evil.com and you'll be redirected to | ||||
Tags | No tags attached. | ||||
Thanks for the bug report, we'll look into it. Next time you discover a vulnerability, could you please mark the bug report as private to avoid unwanted public disclosure ? Thanks for your understanding. |
|
I didn't check in detail, but I have a feeling this is possibly the same root cause as 0022702 (i.e. string_sanitize_url() not handling escaped |
|
@mahmoud.gamal Did you request a CVE for this ? If so, please let us know the ID, otherwise I can take care of it, let us know how you'd like to be credited for the finding. FYI your website was blocked by my company's Blue Coat proxy filter due to being categorized as Malicious Sources/MalnetsMalicious Sources/Malnets |
|
Hi @dregad, I didn't request a CVE for this. Thanks for telling me about the website being marked as malicious, this is definitely a mistake, I have contacted my manager and we got this corrected: http://sitereview.bluecoat.com/sitereview.jsp#/?search=seekurity.com Regards. EDIT (dregad): I deleted your duplicated note. |
|
Confirming that the proposed fix for 0022702 (escaping |
|
I can confirm the vulnerability, affecting 1.3.0-beta.1 and later |
|
@mahmoud.gamal please review the proposed patch below and let me know if that addresses the issue. |
|
Hi @dregad, |
|
Thanks for your confirmation. Since the vulnerability you reported is addressed by the same patch as a similar issue in _permalinkpage.php (see 0022702), the same CVE ID (CVE-2017-7620) should be used for both issues, as per feedback from MITRE: On 7 May 2017 at 17:18, <cve-request@mitre.org> wrote:
|
|
MantisBT: master f6644090 2017-05-13 14:47 Details Diff |
Encode '\' in string_sanitize_url() As an extra safety measure following up on the fix for CVE-2017-7620, we encode the backslashes in the 'script' part of the URL to ensure that the sanitized URL is treated as a path relative to MantisBT root and not a link to an external site if the URL begins with an escaped `/`. This reduces the risk of someone being able to use the same attack vector in another page. Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/string_api.php | Diff File | ||
MantisBT: master-1.3.x c4f50e5d 2017-05-19 07:48 Details Diff |
Fix CSRF vulnerability in permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection (code changed from original commit) 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/filter_api.php | Diff File | ||
mod - core/string_api.php | Diff File | ||
mod - permalink_page.php | Diff File | ||
mod - tests/Mantis/StringTest.php | Diff File | ||
MantisBT: master-2.3 8b6787c8 2017-05-19 07:48 Details Diff |
Fix CSRF vulnerability in permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/filter_api.php | Diff File | ||
mod - core/string_api.php | Diff File | ||
mod - permalink_page.php | Diff File | ||
mod - tests/Mantis/StringTest.php | Diff File | ||
MantisBT: master-2.4 2d2309a3 2017-05-19 07:48 Details Diff |
Fix CSRF vulnerability in permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/filter_api.php | Diff File | ||
mod - core/string_api.php | Diff File | ||
mod - permalink_page.php | Diff File | ||
mod - tests/Mantis/StringTest.php | Diff File |