Date: Sun, 11 Jan 2015 12:00:55 -0500 (EST) From: cve-assign@...re.org To: Damien Regad <dregad@...tisbt.org> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: Re: CVE-2014-6316: URL redirection issue in MantisBT > During follow-up tests he performed on the fix for CVE-2014-6316 (which was > released in MantisBT 1.2.18), Alejo Popovici noticed  that the earlier fix > was only partial. > > With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to > effect a cross-domain redirection using a redirect address having a single > slash, e.g. > > - http://example.com/mantis/login_page.php?return=https:/google.com or > - https://example.com/mantis/login_page.php?return=http:/google.com > > This is essentially the same vulnerability that was described in > CVE-2014-6316, but due to a different root cause (for which a patch will be > issued soon). > > I would like to know if I should be using the same CVE ID, or if a new one > needs to be issued. > > Thanks in advance. > > Damien Regad > MantisBT Developer > > >  https://www.mantisbt.org/bugs/view.php?id=17997 CVE creates separate identifiers if two bugs do not affect the same versions. This can occur with incomplete fixes. Since bug 17997 affects 1.2.18 but CVE-2014-6316 does not, a separate CVE ID is used. Use CVE-2015-1042. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ