Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Arbitrary Redirect in Tuleap

RedTeam Pentesting discovered an arbitrary redirect vulnerability in the redirect mechanism of the application lifecycle management platform Tuleap.

Details

  • Product: Tuleap
  • Affected Versions: > 9.17.99.93
  • Fixed Versions: >= 9.17.99.93
  • Vulnerability Type: Arbitrary Redirect
  • Security Risk: low
  • Vendor URL: https://www.tuleap.org/
  • Vendor Status: fixed version released
  • Vendor Issue URL: https://tuleap.net/plugins/tracker/?aid=11136
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-001
  • Advisory Status: published
  • CVE: GENERIC-MAP-NOMATCH
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH

Introduction

“Tuleap is an open source tool for Scrum, Kanban, waterfall, requirement management. Plan, track, code and collaborate on software projects, you get everything at hand.” (from the Tuleap website (https://www.tuleap.org/what-is-tuleap))

More Details

RedTeam Pentesting discovered an arbitrary redirect vulnerability in the way Tuleap handles redirects. Usually this function is only used in Tuleap after an successful login to assigned trackers, however the redirect can be used indepented of whether a user is authenticated to the application. While the application employs a URL filter to prevent arbitrary redirects, the URL filter can be bypassed. This allows attackers to redirect users to a different website, if a user opens an attacker prepared URL.

The filter can be bypassed by using protocol relative URLs, which omit the leading protocol identifier. These arbitrary URLs are prefixed with two slashes, which instructs the browser to use the same protocol as the current page. This behaviour is specified in RFC 3986 (https://tools.ietf.org/html/rfc3986) in section 5.4.

Proof of Concept

The following URL to an example installation of Tuleap will redirect users to an attacker controlled website:

https://example.net/my/redirect.php?return_to=//attacker.com

Workaround

Currently no workaround is known.

Fix

Upgrade to at least tuleap version 9.17.99.93.

Security Risk

Attackers may convice users to use a prepared link to access a valid Tuleap instance, which then redirects users to a fake login page. This can greatly increase the effectiveness of phishing attacks and may allow attackers to steal user credentials more effectively. However, no credentials or sensitive information can be extracted directly. Furthermore, the website to which users are going to be redirected will be displayed in the browser location bar so that users may identify the attack. Therefore, we rate this vulnerability with a low risk.

Nevertheless, it is very easy for attackers to identify this vulnerability and create malicious URLs, which makes it very likely that attackers might abuse this.

Timeline

  • 2018-01-02 Vulnerability identified
  • 2018-01-11 Customer approved disclosure to vendor
  • 2018-02-13 Vendor notified
  • 2018-02-14 Vendor released fixed version
  • 2018-03-05 Vendor made issue public
  • 2018-03-08 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/