Vulnerabilities > CVE-2008-2951 - Open Redirect vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 13 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fake the Source of Data An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2008-6830.NASL description Update to 0.10.5 to fix two non-critical security issues: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33766 published 2008-07-31 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33766 title Fedora 8 : trac-0.10.5-1.fc8 (2008-6830) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-6830. # include("compat.inc"); if (description) { script_id(33766); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:28"); script_cve_id("CVE-2008-2951", "CVE-2008-3328"); script_bugtraq_id(30400, 30402); script_xref(name:"FEDORA", value:"2008-6830"); script_name(english:"Fedora 8 : trac-0.10.5-1.fc8 (2008-6830)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 0.10.5 to fix two non-critical security issues: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=456874" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-July/013141.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9668d3a5" ); script_set_attribute(attribute:"solution", value:"Update the affected trac package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:trac"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8"); script_set_attribute(attribute:"patch_publication_date", value:"2008/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC8", reference:"trac-0.10.5-1.fc8")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "trac"); }NASL family Fedora Local Security Checks NASL id FEDORA_2008-6833.NASL description Update to 0.10.5 to fix two non-critical security issues: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33767 published 2008-07-31 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33767 title Fedora 9 : trac-0.10.5-1.fc9 (2008-6833) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-6833. # include("compat.inc"); if (description) { script_id(33767); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:28"); script_cve_id("CVE-2008-2951", "CVE-2008-3328"); script_bugtraq_id(30400, 30402); script_xref(name:"FEDORA", value:"2008-6833"); script_name(english:"Fedora 9 : trac-0.10.5-1.fc9 (2008-6833)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 0.10.5 to fix two non-critical security issues: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=456874" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-July/013150.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?415e70af" ); script_set_attribute(attribute:"solution", value:"Update the affected trac package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:trac"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2008/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"trac-0.10.5-1.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "trac"); }NASL family CGI abuses NASL id TRAC_QUICKJUMP_XSR.NASL description The remote host is running Trac, an enhanced wiki and issue tracking system for software development projects. The version of Trac installed on the remote host fails to sanitize user input to the last seen 2020-06-01 modified 2020-06-02 plugin id 33271 published 2008-06-30 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33271 title Trac quickjump Search Script q Parameter Arbitrary Site Redirect code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(33271); script_version("1.17"); script_cve_id("CVE-2008-2951"); script_bugtraq_id(30402); script_name(english:"Trac quickjump Search Script q Parameter Arbitrary Site Redirect"); script_summary(english:"Tries to redirect to a third-party site"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a Python script that is affected by a cross-site redirection vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is running Trac, an enhanced wiki and issue tracking system for software development projects. The version of Trac installed on the remote host fails to sanitize user input to the 'q' parameter of the 'search' script before using it in an unfiltered and unmanaged fashion in a redirect. An attacker may be able to use an open redirect such as this to trick people into visiting malicious sites, which could lead to phising attacks, browser exploits, or drive-by malware downloads." ); # https://holisticinfosec.blogspot.com/2008/06/open-redirect-vulnerabilities-article.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a7d63198"); # https://trac.edgewall.org/wiki/ChangeLog#a0.10.5 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3acece6"); # https://groups.google.com/forum/#!topic/trac-announce/Im1VQ5MzpVo script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eefccce4"); script_set_attribute(attribute:"solution", value: "Upgrade to Trac version 0.11.0 / 0.10.5 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2008-2951"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_publication_date", value: "2008/06/30"); script_cvs_date("Date: 2019/05/29 10:47:07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); # Loop through directories. if (thorough_tests) dirs = list_uniq("/trac", cgi_dirs()); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { # NB: redirect_url only gets echoed back in the response. redirect_url = "http://www.example.com/"; url = string(dir, "/search?q=", redirect_url); r = http_send_recv3(method: "GET", item:url, port:port); if (isnull(r)) exit(0); # Make sure the output looks like it's from Trac. if (egrep(pattern:"^Set-Cookie: +trac_", string: r[1])) { # There's a problem if we're redirected to our URL. location = egrep(pattern:"^Location:", string:r[1], icase:TRUE); if (location && redirect_url >< location) { if (report_verbosity) { report = string( "\n", "Nessus was able to exploit the issue using the following URL :\n", "\n", " ", build_url(port:port, qs:url), "\n" ); security_warning(port:port, extra:report); } else security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } }
References
- http://holisticinfosec.org/content/view/72/45/
- http://trac.edgewall.org/wiki/ChangeLog
- http://www.osvdb.org/46513
- http://www.securityfocus.com/bid/30402
- https://www.redhat.com/archives/fedora-package-announce/2008-July/msg01261.html
- http://secunia.com/advisories/31314
- https://www.redhat.com/archives/fedora-package-announce/2008-July/msg01270.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44043