Date: Sun, 11 Jan 2015 12:00:55 -0500 (EST) From: cve-assign@...re.org To: Damien Regad <dregad@...tisbt.org> cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: Re: CVE-2014-6316: URL redirection issue in MantisBT > During follow-up tests he performed on the fix for CVE-2014-6316 (which was > released in MantisBT 1.2.18), Alejo Popovici noticed  that the earlier fix > was only partial. > > With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to > effect a cross-domain redirection using a redirect address having a single > slash, e.g. > > - http://example.com/mantis/login_page.php?return=https:/google.com or > - https://example.com/mantis/login_page.php?return=http:/google.com > > This is essentially the same vulnerability that was described in > CVE-2014-6316, but due to a different root cause (for which a patch will be > issued soon). > > I would like to know if I should be using the same CVE ID, or if a new one > needs to be issued. > > Thanks in advance. > > Damien Regad > MantisBT Developer > > >  https://www.mantisbt.org/bugs/view.php?id=17997 CVE creates separate identifiers if two bugs do not affect the same versions. This can occur with incomplete fixes. Since bug 17997 affects 1.2.18 but CVE-2014-6316 does not, a separate CVE ID is used. Use CVE-2015-1042. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.