Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Jan 2015 12:00:55 -0500 (EST)
From: cve-assign@...re.org
To: Damien Regad <dregad@...tisbt.org>
cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: Re: CVE-2014-6316: URL redirection issue in
 MantisBT


> During follow-up tests he performed on the fix for CVE-2014-6316 (which was 
> released in MantisBT 1.2.18), Alejo Popovici noticed [1] that the earlier fix 
> was only partial.
>
> With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to 
> effect a cross-domain redirection using a redirect address having a single 
> slash, e.g.
>
> - http://example.com/mantis/login_page.php?return=https:/google.com or
> - https://example.com/mantis/login_page.php?return=http:/google.com
>
> This is essentially the same vulnerability that was described in 
> CVE-2014-6316, but due to a different root cause (for which a patch will be 
> issued soon).
>
> I would like to know if I should be using the same CVE ID, or if a new one 
> needs to be issued.
>
> Thanks in advance.
>
> Damien Regad
> MantisBT Developer
>
>
> [1] https://www.mantisbt.org/bugs/view.php?id=17997

CVE creates separate identifiers if two bugs do not affect the same 
versions.  This can occur with incomplete fixes.  Since bug 17997 affects 
1.2.18 but CVE-2014-6316 does not, a separate CVE ID is used.

Use CVE-2015-1042.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ