Bug 577337 - The eclip.se URL shortener also shortens external links
Summary: The eclip.se URL shortener also shortens external links
Status: CLOSED MOVED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-11-18 10:19 EST by Johann Beleites CLA
Modified: 2021-12-23 06:48 EST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johann Beleites CLA 2021-11-18 10:19:52 EST 
If I control a malicious domain, say example.org, I can create potentially malicious subdomains that will be shortened by the eclip.se URL shortener, despite its claims that it doesn't shorten external URLs. Hence, I can create a shortened URL (that may be trusted more than my complete malicious URL) that will actually lead to an external (if I want malicious) domain. 

For example: http://eclip.se/tmpolicW forwards to https://bugs.eclipse.org.example.org/some/malicious/page.
Comment 1 Frederic Gurr CLA 2021-12-23 06:48:41 EST 
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/687.