Vulnerabilities > CVE-2008-2951 - Open Redirect vulnerability in multiple products

047910
CVSS 6.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
NONE
network
low complexity
edgewall
fedoraproject
CWE-601
nessus

Summary

Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fake the Source of Data
    An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-6830.NASL
    descriptionUpdate to 0.10.5 to fix two non-critical security issues: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33766
    published2008-07-31
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33766
    titleFedora 8 : trac-0.10.5-1.fc8 (2008-6830)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-6830.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33766);
      script_version ("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:28");
    
      script_cve_id("CVE-2008-2951", "CVE-2008-3328");
      script_bugtraq_id(30400, 30402);
      script_xref(name:"FEDORA", value:"2008-6830");
    
      script_name(english:"Fedora 8 : trac-0.10.5-1.fc8 (2008-6830)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to 0.10.5 to fix two non-critical security issues:
    CVE-2008-2951: Open redirect vulnerability in the search script in
    Trac before 0.10.5 allows remote attackers to redirect users to
    arbitrary websites and conduct phishing attacks via a URL in the q
    parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in
    the wiki engine in Trac before 0.10.5 allows remote attackers to
    inject arbitrary web script or HTML via unknown vectors.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=456874"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-July/013141.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9668d3a5"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected trac package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 79);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:trac");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/07/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC8", reference:"trac-0.10.5-1.fc8")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "trac");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-6833.NASL
    descriptionUpdate to 0.10.5 to fix two non-critical security issues: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33767
    published2008-07-31
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33767
    titleFedora 9 : trac-0.10.5-1.fc9 (2008-6833)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-6833.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33767);
      script_version ("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:28");
    
      script_cve_id("CVE-2008-2951", "CVE-2008-3328");
      script_bugtraq_id(30400, 30402);
      script_xref(name:"FEDORA", value:"2008-6833");
    
      script_name(english:"Fedora 9 : trac-0.10.5-1.fc9 (2008-6833)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to 0.10.5 to fix two non-critical security issues:
    CVE-2008-2951: Open redirect vulnerability in the search script in
    Trac before 0.10.5 allows remote attackers to redirect users to
    arbitrary websites and conduct phishing attacks via a URL in the q
    parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in
    the wiki engine in Trac before 0.10.5 allows remote attackers to
    inject arbitrary web script or HTML via unknown vectors.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=456874"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-July/013150.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?415e70af"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected trac package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 79);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:trac");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/07/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC9", reference:"trac-0.10.5-1.fc9")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "trac");
    }
    
  • NASL familyCGI abuses
    NASL idTRAC_QUICKJUMP_XSR.NASL
    descriptionThe remote host is running Trac, an enhanced wiki and issue tracking system for software development projects. The version of Trac installed on the remote host fails to sanitize user input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id33271
    published2008-06-30
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33271
    titleTrac quickjump Search Script q Parameter Arbitrary Site Redirect
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33271);
      script_version("1.17");
    
      script_cve_id("CVE-2008-2951");
      script_bugtraq_id(30402);
    
      script_name(english:"Trac quickjump Search Script q Parameter Arbitrary Site Redirect");
      script_summary(english:"Tries to redirect to a third-party site");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a Python script that is affected by a
    cross-site redirection vulnerability." );
      script_set_attribute(attribute:"description", value:
    "The remote host is running Trac, an enhanced wiki and issue tracking
    system for software development projects. 
    
    The version of Trac installed on the remote host fails to sanitize
    user input to the 'q' parameter of the 'search' script before using it
    in an unfiltered and unmanaged fashion in a redirect.  An attacker may
    be able to use an open redirect such as this to trick people into
    visiting malicious sites, which could lead to phising attacks, browser
    exploits, or drive-by malware downloads." );
      # https://holisticinfosec.blogspot.com/2008/06/open-redirect-vulnerabilities-article.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a7d63198");
      # https://trac.edgewall.org/wiki/ChangeLog#a0.10.5
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3acece6");
      # https://groups.google.com/forum/#!topic/trac-announce/Im1VQ5MzpVo
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eefccce4");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Trac version 0.11.0 / 0.10.5 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2008-2951");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20);
      script_set_attribute(attribute:"plugin_publication_date", value: "2008/06/30");
      script_cvs_date("Date: 2019/05/29 10:47:07");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("http_version.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    
    port = get_http_port(default:80);
    
    # Loop through directories.
    if (thorough_tests) dirs = list_uniq("/trac", cgi_dirs());
    else dirs = make_list(cgi_dirs());
    
    foreach dir (dirs)
    {
      # NB: redirect_url only gets echoed back in the response.
      redirect_url = "http://www.example.com/";
      url = string(dir, "/search?q=", redirect_url);
    
      r = http_send_recv3(method: "GET", item:url, port:port);
      if (isnull(r)) exit(0);
    
      # Make sure the output looks like it's from Trac.
      if (egrep(pattern:"^Set-Cookie: +trac_", string: r[1]))
      {
        # There's a problem if we're redirected to our URL.
        location = egrep(pattern:"^Location:", string:r[1], icase:TRUE);
        if (location && redirect_url >< location)
        {
          if (report_verbosity)
          {
            report = string(
              "\n",
              "Nessus was able to exploit the issue using the following URL :\n",
              "\n",
              "  ", build_url(port:port, qs:url), "\n"
            );
            security_warning(port:port, extra:report);
          }
          else security_warning(port);
          set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
          exit(0);
        }
      }
    }