Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Jan 2015 12:00:55 -0500 (EST)
From: cve-assign@...re.org
To: Damien Regad <dregad@...tisbt.org>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: Re: CVE-2014-6316: URL redirection issue in
 MantisBT


> During follow-up tests he performed on the fix for CVE-2014-6316 (which was 
> released in MantisBT 1.2.18), Alejo Popovici noticed [1] that the earlier fix 
> was only partial.
>
> With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to 
> effect a cross-domain redirection using a redirect address having a single 
> slash, e.g.
>
> - http://example.com/mantis/login_page.php?return=https:/google.com or
> - https://example.com/mantis/login_page.php?return=http:/google.com
>
> This is essentially the same vulnerability that was described in 
> CVE-2014-6316, but due to a different root cause (for which a patch will be 
> issued soon).
>
> I would like to know if I should be using the same CVE ID, or if a new one 
> needs to be issued.
>
> Thanks in advance.
>
> Damien Regad
> MantisBT Developer
>
>
> [1] https://www.mantisbt.org/bugs/view.php?id=17997

CVE creates separate identifiers if two bugs do not affect the same 
versions.  This can occur with incomplete fixes.  Since bug 17997 affects 
1.2.18 but CVE-2014-6316 does not, a separate CVE ID is used.

Use CVE-2015-1042.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.