Tuleap Open Redirect

2018-03-08T00:00:00
ID PACKETSTORM:146702
Type packetstorm
Reporter redteam-pentesting.de
Modified 2018-03-08T00:00:00

Description

                                        
                                            `Advisory: Arbitrary Redirect in Tuleap  
  
RedTeam Pentesting discovered an arbitrary redirect vulnerability in the  
redirect mechanism of the application lifecycle management platform  
Tuleap.  
  
  
Details  
=======  
  
Product: Tuleap  
Affected Versions: > 9.17.99.93  
Fixed Versions: >= 9.17.99.93  
Vulnerability Type: Arbitrary Redirect  
Security Risk: low  
Vendor URL: https://www.tuleap.org/  
Vendor Status: fixed version released  
Vendor Issue URL: https://tuleap.net/plugins/tracker/?aid=11136  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-001  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"Tuleap is an open source tool for Scrum, Kanban, waterfall,  
requirement management. Plan, track, code and collaborate on software  
projects, you get everything at hand."  
(from the Tuleap website [1])  
  
  
More Details  
============  
  
RedTeam Pentesting discovered an arbitrary redirect vulnerability in the  
way Tuleap handles redirects. Usually this function is only used in  
Tuleap after an successful login to assigned trackers, however the  
redirect can be used indepented of whether a user is authenticated to  
the application. While the application employs a URL filter to prevent  
arbitrary redirects, the URL filter can be bypassed. This allows  
attackers to redirect users to a different website, if a user opens an  
attacker prepared URL.   
  
The filter can be bypassed by using protocol relative URLs, which omit  
the leading protocol identifier. These arbitrary URLs are prefixed with  
two slashes, which instructs the browser to use the same protocol as the  
current page. This behaviour is specified in RFC 3986 [2] in section  
5.4.  
  
  
Proof of Concept  
================  
  
The following URL to an example installation of Tuleap will redirect  
users to an attacker controlled website:  
  
https://example.net/my/redirect.php?return_to=//attacker.com  
  
  
Workaround  
==========  
  
Currently no workaround is known.  
  
  
Fix  
===  
  
Upgrade to at least tuleap version 9.17.99.93.   
  
  
Security Risk  
=============  
  
Attackers may convice users to use a prepared link to access a valid  
Tuleap instance, which then redirects users to a fake login page. This  
can greatly increase the effectiveness of phishing attacks and may allow  
attackers to steal user credentials more effectively. However, no  
credentials or sensitive information can be extracted directly.  
Furthermore, the website to which users are going to be redirected will  
be displayed in the browser location bar so that users may identify the  
attack. Therefore, we rate this vulnerability with a low risk.  
  
Nevertheless, it is very easy for attackers to identify this  
vulnerability and create malicious URLs, which makes it very likely that  
attackers might abuse this.   
  
  
Timeline  
========  
  
2018-01-02 Vulnerability identified  
2018-01-11 Customer approved disclosure to vendor  
2018-02-13 Vendor notified  
2018-02-14 Vendor released fixed version  
2018-03-05 Vendor made issue public   
2018-03-08 Advisory released   
  
  
References  
==========  
  
[1] https://www.tuleap.org/what-is-tuleap  
[2] https://tools.ietf.org/html/rfc3986  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschaftsfuhrer: Patrick Hof, Jens Liebchen  
`