Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Feb 2016 19:22:53 -0500 (EST)
From: cve-assign@...re.org
To: sinkmanu@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...ian.org
Subject: Re: CVE Request: graphite-web: open redirect

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/graphite-project/graphite-web/issues/1441
> 
> two OpenRedirects in /webapp/graphite/account/views.py
> 
> Proof of Concept:

>     http://graphiteSite/account/logout?nextPage=https://www.google.com

Is there a response from the author of the code indicating that this
is a vulnerability? Open redirects to http/https are not universally
considered vulnerabilities for all vendors and products, e.g.,

  https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect

is probably the most well-known counterargument.


>     http://graphiteSite/account/update
>         POST: nextPage=https://www.google.com

What is the threat model for this open redirect issue that requires a
POST request? Often, an attacker's ability to make a client submit a
POST request with an attacker-controlled parameter means that the
client is executing JavaScript code from an attacker-controlled site,
and in that case the JavaScript can send the browser to an arbitrary
http/https URL without any realistic ability of the client user to
predict that that might occur. Is there a way in which the existence
of http://graphiteSite/account/update helps the attacker to accomplish
the redirect?

> Also, inside the logout and update functions, the session should be checked.

What vulnerability are you reporting here? Are /account/logout and
/account/update vulnerable to CSRF?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWxQ5TAAoJEL54rhJi8gl56toP/RgPonDpkFFnaK3k2vIfRsMy
nnQzTUpalPdY3EbOv8LAhNy66ayVnUrL8ksQWtv6Y/ISU9R48ChAZGOARsbD0YTH
bN2Lnvzni5AO6NXdaNXeqyKyTKz04uB3UgTAnZRWJuLmGUXFKBD/9GZgaiykw2v3
lqPLExJdGYVncuSaKDzuh/Cqt6x6WDdL7zJK9XoqtqelrqCKCx3Evb7Zp2g6qAEd
0nnp/RyYl3X84ym2w1gxAl/O7yavHKlxT53dWB0thsy6t0DZC5STj9bYn5sgLGtj
V6c2xpVO39FpCJpjJrc41f6jr3G8cq7AY93HIpJA33E2P1B8PLiaOjgjCUAYG8Q+
fO8EEWf4hpSGcwCHvWI+/RNdMNTW/IYlnqhTwmJ8tujHfb6tqw0eKqxCZEUL5pFV
QHunbNM+UCMOZxqyGoiI/Hcvaj1iwjD1yUVHNyVkC5RjH3zvtU7lFm/ectUP5htx
cws4bX47qlHCk0S6W+B4ea/6u4Ul8mlW/F2yxa/ZP3IINjCUuyB5CbFey3MLXcoL
f5UYLEAgodYcVv4MuzYuccaEon/FVyL+i5jkZysMl/z6d7UnFAc8hdRMAdxw67wn
87naZl4uxLk74bBAkjMAiu4CT5TQ2+3d8USisYzI5c1UVLnzpTFYef7DipWQ5l1a
ZpcBByiMZgHSvw7WyKU0
=14sK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.