request #7806 HTTP Response Splitting and uncontroled redirection in FRS module

Artifact

Infos

Artifact ID#7806

Submitted byThomas Gerbet (tgerbet)

Last Modified On2015-03-04 16:22

Submitted on2015-01-28 17:05

Rank7807

Details

Summary *

HTTP Response Splitting and uncontroled redirection in FRS module

Original Submission

The parameter filename of the page /file/confirm_download.php could be exploited to create a HTTP response splitting or to force an user to do an unwanted action.

Impact

An attacker could use this vulnerability to force a victim to execute uncontrolled code or to do unwanted action.
CVSS2 score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitation

HTTP Response Splitting: <tuleap_url>/file/confirm_download.php?popup=1&group_id=XXX&file_id=X&filename=name<CRLF><Attacker HTTP Request>
Uncontroled redirection: <tuleap_url>/file/confirm_download.php?group_id=XXX&file_id=X&filename=../../../../../account/logout.php

References

https://cwe.mitre.org/data/definitions/113.html
https://www.owasp.org/index.php/HTTP_Response_Splitting

CategoryDelivery/File release system

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2015-03-02

Attachments

Connected artifacts

Artifact links

Empty

Reverse artifact links

Releases

AttachmentsEmpty

References

Cross references

Referencing request #7806

Artifact Tracker v5

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/68/3568/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD f62b6ba3f8

Yannis ROSSETTO (rossettoy) , 2015-01-29 16:54

request #7806: Avoid HTTP Response Splitting and uncontroled redirection in FRS f8d1d4b673

Thomas Gerbet (tgerbet) , 2015-01-28 17:36

This is Tuleap 7.9.99.75 456fe93955

Yannis ROSSETTO (rossettoy) , 2015-01-29 17:08

Merge commit 'refs/changes/37/3637/1' of ssh://gerrit.tuleap.net:29418/tuleap into tuleap-stable-master 71f3668c19

Manuel Vacelet (vaceletm) , 2015-03-02 13:39

request #7806: Avoid HTTP Response Splitting and uncontroled redirection in FRS ad0338029d

Thomas Gerbet (tgerbet) , 2015-02-16 14:27

request #7806: Avoid HTTP Response Splitting and uncontroled redirection in FRS 2bc9862e87

Thomas Gerbet (tgerbet) , 2015-02-24 14:23

tuleap/u/vaceletm/tuleap/dev

This is Tuleap 7.9.99.75 456fe93955

Yannis ROSSETTO (rossettoy) , 2015-01-29 17:08

Merge commit 'refs/changes/68/3568/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD f62b6ba3f8

Yannis ROSSETTO (rossettoy) , 2015-01-29 16:54

request #7806: Avoid HTTP Response Splitting and uncontroled redirection in FRS f8d1d4b673

Thomas Gerbet (tgerbet) , 2015-01-28 17:36

Release

Show items referenced by request #7806

Referenced by request #7806

Other

Follow-ups

Manuel Vacelet (vaceletm)

2015-03-04 16:22

Disclose after Release 7.11

Sandra Echinard (sechinard)

2015-03-02 17:38

Mass Change

Manuel Vacelet (vaceletm)

2015-03-02 13:47

Merged in 7.10.99.59

Status changed from Reopen to Closed
Close date set to 2015-03-02

Manuel Vacelet (vaceletm)

2015-02-24 14:32

Merged in tuleap-7.10-x

Thomas Gerbet (tgerbet)

2015-02-16 14:38

gerrit #3568 has been merged then reverted. A new patch is under review: gerrit #3637.

Yannis ROSSETTO (rossettoy)

2015-01-29 17:14

Reverted in Tuleap 7.9.99.75

Status changed from Closed to Reopen
Close date cleared

Yannis ROSSETTO (rossettoy)

2015-01-29 16:55

Merged in Tuleap 7.9.99.74

Status changed from Under review to Closed
Close date set to 2015-01-29

Thomas Gerbet (tgerbet)

2015-01-28 17:41

A patch is under review: gerrit #3568.

Status changed from Under implementation to Under review