Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

Inizio della pagina
Delete this message
Reply to this message
Autore: Jasen Betts
Data:  
To: exim-users
Nuovi argomenti: [exim] CVE-2019-10149: already vulnerable ?
Oggetto: Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On 2019-06-19, Heiko Schlittermann via Exim-users <exim-users@???> wrote:
>
> --===============0789655678==
> Content-Type: multipart/signed; micalg=pgp-sha512;
>     protocol="application/pgp-signature"; boundary="mlyb34ecdekgbwyp"
> Content-Disposition: inline

>
>
> --mlyb34ecdekgbwyp
> Content-Type: text/plain; charset=utf-8
> Content-Disposition: inline
>
> Russell King via Exim-users <exim-users@???> (Di 11 Jun 2019 16:08:28 CEST):
>>
>> As I stated in my original post, I've tried subsituting the " " with
>> both + and %2b. I was using Firefox, I've also used elinks as well.
>> Nothing works to get a commitdiff.
>>
>> >    https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91%2Bfixes

>>
>> That URL is not a problem - getting the shortlog is not a problem.
>> Following any of the links from the shortlog _is_ a problem as my
>> original post stated.
>
> Hm. Starting with the link you describe here (using %2B) an can follow
> many, if not all (didn't test *all*) links, shortlog -> commitdiff
> works.


That modified link works in firefox too, It seems that problem is the server
displays a page with bad links if '+' is used incorrectly in the URL,
this may be because in URLs '+' represents space.

This behavious seems odd, there may be an XSS vuln in there somewhere.

--
When I tried casting out nines I made a hash of it.