exploit the possibilities

Tuleap Open Redirect

Tuleap Open Redirect
Posted Mar 8, 2018
Site redteam-pentesting.de

RedTeam Pentesting discovered an arbitrary redirect vulnerability in the redirect mechanism of the application lifecycle management platform Tuleap. Versions prior to 9.17.99.93 are affected.

tags | exploit, arbitrary
MD5 | 7ceb581f437f6e24c278ff1245616659

Tuleap Open Redirect

Change Mirror Download
Advisory: Arbitrary Redirect in Tuleap

RedTeam Pentesting discovered an arbitrary redirect vulnerability in the
redirect mechanism of the application lifecycle management platform
Tuleap.


Details
=======

Product: Tuleap
Affected Versions: > 9.17.99.93
Fixed Versions: >= 9.17.99.93
Vulnerability Type: Arbitrary Redirect
Security Risk: low
Vendor URL: https://www.tuleap.org/
Vendor Status: fixed version released
Vendor Issue URL: https://tuleap.net/plugins/tracker/?aid=11136
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-001
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"Tuleap is an open source tool for Scrum, Kanban, waterfall,
requirement management. Plan, track, code and collaborate on software
projects, you get everything at hand."
(from the Tuleap website [1])


More Details
============

RedTeam Pentesting discovered an arbitrary redirect vulnerability in the
way Tuleap handles redirects. Usually this function is only used in
Tuleap after an successful login to assigned trackers, however the
redirect can be used indepented of whether a user is authenticated to
the application. While the application employs a URL filter to prevent
arbitrary redirects, the URL filter can be bypassed. This allows
attackers to redirect users to a different website, if a user opens an
attacker prepared URL.

The filter can be bypassed by using protocol relative URLs, which omit
the leading protocol identifier. These arbitrary URLs are prefixed with
two slashes, which instructs the browser to use the same protocol as the
current page. This behaviour is specified in RFC 3986 [2] in section
5.4.


Proof of Concept
================

The following URL to an example installation of Tuleap will redirect
users to an attacker controlled website:

https://example.net/my/redirect.php?return_to=//attacker.com


Workaround
==========

Currently no workaround is known.


Fix
===

Upgrade to at least tuleap version 9.17.99.93.


Security Risk
=============

Attackers may convice users to use a prepared link to access a valid
Tuleap instance, which then redirects users to a fake login page. This
can greatly increase the effectiveness of phishing attacks and may allow
attackers to steal user credentials more effectively. However, no
credentials or sensitive information can be extracted directly.
Furthermore, the website to which users are going to be redirected will
be displayed in the browser location bar so that users may identify the
attack. Therefore, we rate this vulnerability with a low risk.

Nevertheless, it is very easy for attackers to identify this
vulnerability and create malicious URLs, which makes it very likely that
attackers might abuse this.


Timeline
========

2018-01-02 Vulnerability identified
2018-01-11 Customer approved disclosure to vendor
2018-02-13 Vendor notified
2018-02-14 Vendor released fixed version
2018-03-05 Vendor made issue public
2018-03-08 Advisory released


References
==========

[1] https://www.tuleap.org/what-is-tuleap
[2] https://tools.ietf.org/html/rfc3986


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschaftsfuhrer: Patrick Hof, Jens Liebchen

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close