Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the server to incorrectly send an API event that includes the edited message to all of the stream’s current subscribers. This API event is ignored by official clients, but can be observed by using a modified client or the browser’s developer tools. This bug will be fixed in Zulip Server 5.3. There are no known workarounds. Insecure Temporary Redirects in Varnish and Nginx ------------ Varnish and Nginx are commonly used in high-traffic websites to serve content. A common insecure configuration where temporary redirects are used is a “301 redirect”. A 301 redirect is an internal redirect where the target URL is changed, but the request continues to the original URL. For example, https://example.com/profile is redirected to https://example.com/new-profile. In this case, the request to https://example.com/profile is forwarded to https://example.com/new-profile. Therefore, access to https://example.com/profile is prohibited.
Varnish and Nginx Insecure Temporary Redirects
Varnish and Nginx have a bug where they can be configured insecurely to send a HTTP 301 redirect (a temporary redirection) while also maintaining the ability to serve other requests. This is a problem because this behavior means that if an attacker knows what URL you are accessing, they can then make requests to another URL and carry out phishing or man-in-the-middle attacks against you. These vulnerabilities will be fixed in the next version of Varnish and Nginx.
Introduction
Nginx and Varnish are commonly used in high-traffic websites to serve content. A common insecure configuration where temporary redirects are used is a “301 redirect”. A 301 redirect is an internal redirect where the target URL is changed, but the request continues to the original URL. For example, https://example.com/profile is redirected to https://example.com/new-profile. In this case, the request to https://example.com/profile is forwarded to https://example.com/new-profile, which results in access being prohibited to all pages on that domain and anything under it, including sensitive information such as credit card numbers or Social Security numbers.
Timeline
Published on: 06/25/2022 09:15:00 UTC
Last modified on: 07/07/2022 18:33:00 UTC