•  
      request #7806 HTTP Response Splitting and uncontroled redirection in FRS module
    Infos
    #7806
    Thomas Gerbet (tgerbet)
    2015-03-04 16:22
    2015-01-28 17:05
    7808
    Details
    HTTP Response Splitting and uncontroled redirection in FRS module

    The parameter filename of the page /file/confirm_download.php could be exploited to create a HTTP response splitting or to force an user to do an unwanted action.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code or to do unwanted action.
    CVSS2 score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)

    Exploitation

    HTTP Response Splitting: <tuleap_url>/file/confirm_download.php?popup=1&group_id=XXX&file_id=X&filename=name<CRLF><Attacker HTTP Request>
    Uncontroled redirection: <tuleap_url>/file/confirm_download.php?group_id=XXX&file_id=X&filename=../../../../../account/logout.php

    References

    https://cwe.mitre.org/data/definitions/113.html
    https://www.owasp.org/index.php/HTTP_Response_Splitting

    Delivery/File release system
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2015-03-02
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Merged in Tuleap 7.9.99.74

    • Status changed from Under review to Closed
    • Close date set to 2015-01-29