Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 17 Feb 2016 19:22:53 -0500 (EST)
From: cve-assign@...re.org
To: sinkmanu@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...ian.org
Subject: Re: CVE Request: graphite-web: open redirect

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/graphite-project/graphite-web/issues/1441
> 
> two OpenRedirects in /webapp/graphite/account/views.py
> 
> Proof of Concept:

>     http://graphiteSite/account/logout?nextPage=https://www.google.com

Is there a response from the author of the code indicating that this
is a vulnerability? Open redirects to http/https are not universally
considered vulnerabilities for all vendors and products, e.g.,

  https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect

is probably the most well-known counterargument.


>     http://graphiteSite/account/update
>         POST: nextPage=https://www.google.com

What is the threat model for this open redirect issue that requires a
POST request? Often, an attacker's ability to make a client submit a
POST request with an attacker-controlled parameter means that the
client is executing JavaScript code from an attacker-controlled site,
and in that case the JavaScript can send the browser to an arbitrary
http/https URL without any realistic ability of the client user to
predict that that might occur. Is there a way in which the existence
of http://graphiteSite/account/update helps the attacker to accomplish
the redirect?

> Also, inside the logout and update functions, the session should be checked.

What vulnerability are you reporting here? Are /account/logout and
/account/update vulnerable to CSRF?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWxQ5TAAoJEL54rhJi8gl56toP/RgPonDpkFFnaK3k2vIfRsMy
nnQzTUpalPdY3EbOv8LAhNy66ayVnUrL8ksQWtv6Y/ISU9R48ChAZGOARsbD0YTH
bN2Lnvzni5AO6NXdaNXeqyKyTKz04uB3UgTAnZRWJuLmGUXFKBD/9GZgaiykw2v3
lqPLExJdGYVncuSaKDzuh/Cqt6x6WDdL7zJK9XoqtqelrqCKCx3Evb7Zp2g6qAEd
0nnp/RyYl3X84ym2w1gxAl/O7yavHKlxT53dWB0thsy6t0DZC5STj9bYn5sgLGtj
V6c2xpVO39FpCJpjJrc41f6jr3G8cq7AY93HIpJA33E2P1B8PLiaOjgjCUAYG8Q+
fO8EEWf4hpSGcwCHvWI+/RNdMNTW/IYlnqhTwmJ8tujHfb6tqw0eKqxCZEUL5pFV
QHunbNM+UCMOZxqyGoiI/Hcvaj1iwjD1yUVHNyVkC5RjH3zvtU7lFm/ectUP5htx
cws4bX47qlHCk0S6W+B4ea/6u4Ul8mlW/F2yxa/ZP3IINjCUuyB5CbFey3MLXcoL
f5UYLEAgodYcVv4MuzYuccaEon/FVyL+i5jkZysMl/z6d7UnFAc8hdRMAdxw67wn
87naZl4uxLk74bBAkjMAiu4CT5TQ2+3d8USisYzI5c1UVLnzpTFYef7DipWQ5l1a
ZpcBByiMZgHSvw7WyKU0
=14sK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.