XSS and open redirect on login form, CVE-2018-1000671 #268
Comments
|
Hi @hmpf, It is a feature. But I agree it may be used to confuse users. I think this feature woould be better to be removed in the future. |
|
This is an open redirect vulnerability. You can also use data URI payloads here for a more traditional reflected XSS. |
|
I submitted this to the DWF for CVE assignment since the issue is publicly visible. |
|
This issue was assigned CVE-2018-1000671 |
|
Hi @lightsey, Could you please forward assignment information (JSON data) to <sympa-security@listes.renater.fr>? Information have never been publicly disclosed and security team might want to investigate it. |
|
Here is the corresponding Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908165 |
|
Hi all, Here is minimal fix (hopefully): c6ce32a Please check it.
|
|
CVE-2018-1000671 says "sympa version 6.2.16 and later" affect. However, looking archived branches, "referer" parameter has not been sanitized from the beginning. The statement should be corrected to be "all versions of Sympa". |
|
I'm not sure why NVD is showing "6.2.16 and later". The data I submitted and the DWF approved was "4.0a5 and later" which looked to me like the first version tag that contained the open redirect. I'll email Kurt and ask if he can get it corrected in the main CVE list. |
|
With PR above, If this may solve the problem described in the CVE, I'll merge it. |
ikedas
changed the title
Issue #268: XSS and open redirect on WWSympa
|
Merged. Thanks for reporting & suggesting. |
The following link redirects to bing:
https://listes.renater.fr/sympa?referer=https://www.bing.com&passwd=&previous_action=&action=login&action_login=&previous_list=&list=&email=
It also works in 6.2.16. We have no newer sympa to test with.
It seems to me maybe this is a bug in a perl dependency? I couldn't find "referer" directly in sympa's source code during a (very) cursory grep.
The text was updated successfully, but these errors were encountered: