Advisory: Unfuddle.com - Open Redirection Author: Liad Mizrachi Vendor URL: http://unfuddle.com Status: Fixed
========================== Vulnerability Description ========================== Unfuddle offers secure, hosted software project management environment. When unauthenticated user tries to access a resource on he’s site directly, he will be redirected to a login page with the reference parameter set to the resource location. For Example: Accessing: https://userSub.unfuddle.com/a%23/projects/1/<https://usersub.unfuddle.com/a%23/projects/1/> Will redirects to user to: https://userSub.unfuddle.com/a#/session/new?reference=https%3A//mom3nt0.unfuddle.com/a%23/projects/1/<https://usersub.unfuddle.com/a#/session/new?reference=https%3A//mom3nt0.unfuddle.com/a%23/projects/1/> The redirection is not strictly to internal resources, but can also be used to redirect users to external site https://userSub.unfuddle.com/a#/session/new?reference=http://evil.com/<https://usersub.unfuddle.com/a#/session/new?reference=http://evil.com/> will redirect the user to http://evil.com after entering the correct credentials in the login page. ========================== Solution ========================== Fixed by vendor ========================== Disclosure Timeline ========================== 14-July-2013 - vendor informed 16-June-2013 - fixed ========================== References ========================== http://unfuddle.com https://vimeo.com/72202542
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/