Closed
Bug 1208480
Opened 9 years ago
Closed 9 years ago
persona.org vulnerable to Open redirect vulnerability
Categories
(Cloud Services :: Server: Identity, defect)
Cloud Services
Server: Identity
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: yaaboukir, Assigned: rfkelly)
Details
(Keywords: sec-moderate, wsec-impersonation)
Hi, I found out that Persona is vulnerable to an open redirection vulnerability. Impact : The user may be subjected to phishing attacks by being redirected to an untrusted and attacjer controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. Proof Of Concept : https://login.persona.org///evilzone.org/%2E%2E Mitigation : Update your Express framework. Kind regards.
Comment 1•9 years ago
|
||
The redirect is indeed unfortunate. I can imagine that careless users would enter their credentials on the redirected site. :rfkelly - could you have someone take a look at this?
Assignee: nobody → rfkelly
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Component: Other → Server: Identity
Flags: needinfo?(rfkelly)
Keywords: sec-low,
wsec-impersonation
Product: Websites → Cloud Services
Resolution: --- → FIXED
Version: Production → unspecified
Comment 2•9 years ago
|
||
Sorry, didn't mean to mark this as Resolved, but Assigned.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: FIXED → ---
Updated•9 years ago
|
Status: REOPENED → ASSIGNED
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(rfkelly)
Updated•9 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 3•9 years ago
|
||
whoops, didn't mean to clear my ni? on this one
Flags: needinfo?(rfkelly)
Assignee | ||
Comment 4•9 years ago
|
||
> Mitigation : Update your Express framework. Easier said than done, I'm afraid - the persona codebase appears to be pinned to express==2.5.0, two full major versions behind the current release. I've no idea what breaking API changes may have taken place in the meantime. I'm assuming this is CVE-2015-1164 [1], in which case we *may* be able to mitigate without updating express by disabling redirects, like this: app.use(express.static(static_root)) => app.use(express.static(static_root, { redirect: false })) But who knows what other vulnerabilities might be unpatched in this ancient version of express. :callahad, can you please help with triaging this? Was there any existing work to get persona.org updated to a newer version of express? [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1164 > Flags: sec-bounty? I don't know what the criteria are around this, but it's certainly a legit open-redirect vuln.
Flags: needinfo?(rfkelly) → needinfo?(dan.callahan)
Assignee | ||
Comment 5•9 years ago
|
||
BTW the "disable redirects" mitigation was suggested at: https://nodesecurity.io/advisories/serve-static-open-redirect
Comment 6•9 years ago
|
||
No existing work that I know of to upgrade the deps. :( The Yahoo bridge is also vulnerable: https://yahoo.login.persona.org///evilzone.org/%2E%2E The Gmail bridge is on Express 4.x and not vulnerable.
Flags: needinfo?(dan.callahan)
Comment 7•9 years ago
|
||
I believe disabling redirects will be a fine mitigation. This is predicated on the belief that the only reason to use redirects is to go from `/foo` to `/foo/`, which implies `/foo/index.html`. As far as I remember, and as far as I can tell from looking at our repos, we never used the static mount that way: it was only for images and scripts, not end-user visible HTML. Case in point: even our effective static /about page doesn't have its index served by the static middleware: https://login.persona.org/about works without redirecting to `about/`. Repos to update: - https://github.com/mozilla/persona/ - https://github.com/mozilla/persona-yahoo-bridge/ We have private repos that you can use (they may need to get sync'd to the upstream, first) at: - https://github.com/mozilla/browserid_private/ (Persona) - https://github.com/mozilla/browserid-bigtent_private/ (Yahoo)
Assignee | ||
Comment 8•9 years ago
|
||
I tested this out locally and `{ redirect: false }` does indeed seem to mitigate the issue with affecting the functionality of the site (although you have to watch out for the browser caching the 302 redirect). I prepared two private PRs with the changes: https://github.com/mozilla/browserid_private/pull/33 https://github.com/mozilla/browserid-bigtent_private/pull/6 But they're probably not against the right branch or tag, because: > (they may need to get sync'd to the upstream, first) It's not obvious to me what's the right branch name to sync with in the corresponding public repos, e.g. the persona repo has things like "future" and "prod". :callahad can you advise?
Flags: needinfo?(dan.callahan)
Comment 9•9 years ago
|
||
The team disintegrated right around when we were attempting to reorganize the repo's structure, so it's a bit of a mess. :( You can figure out what revision is running in prod by hitting /ver.txt. Right now, Prod is on cc7cc58, which is the tip of the train-2014.07.19 branch. I'd suggest confirming with :relud on this, but I think the best bet is probably to PR against both "train-2014.07.19" *and* "future" for Persona Looks like the Yahoo bridge is on 3f02c86, which points to "train-2013.05.29-hotfix-9-24v3". I'd PR against that and against "master" for Yahoo. Hooray for software archaeology! :)
Flags: needinfo?(dan.callahan) → needinfo?(dthornton)
Comment 10•9 years ago
|
||
I need it merged against the branches currently deployed, which match callahad's footwork. Merging it against the other branches would also be good practice, but is not a requirement for getting it deployed. As for testing (as mentioned by shane on github), I could deploy the PR without merging it, and we could test it in stage for verification.
Flags: needinfo?(dthornton)
Comment 11•9 years ago
|
||
"deploy the PR without merging it" to stage, not to prod
Assignee | ||
Comment 12•9 years ago
|
||
Adding Shane to this bug, for review purposes.
Assignee | ||
Comment 13•9 years ago
|
||
> I think the best bet is probably to PR against both "train-2014.07.19" *and* "future" for Persona Done, PRs at: https://github.com/mozilla/browserid_private/pull/34 https://github.com/mozilla/browserid_private/pull/35
Assignee | ||
Comment 14•9 years ago
|
||
> Looks like the Yahoo bridge is on 3f02c86, which points to "train-2013.05.29-hotfix-9-24v3". > I'd PR against that and against "master" for Yahoo. Done, PRs at: https://github.com/mozilla/browserid-bigtent_private/pull/7 https://github.com/mozilla/browserid-bigtent_private/pull/8
Assignee | ||
Comment 15•9 years ago
|
||
:relud, if you're happy to deploy these to stage for manual verification, that sounds like by far the easiest option. The two PRs against current prod branch are: https://github.com/mozilla/browserid_private/pull/34 https://github.com/mozilla/browserid-bigtent_private/pull/7
Flags: needinfo?(dthornton)
Comment 16•9 years ago
|
||
I think we also need a PR against the persona-gmail-bridge [1]. [1] - https://github.com/mozilla/persona-gmail-bridge/blob/master/bin/persona-gmail-bridge.js#L327
Comment 17•9 years ago
|
||
The bug was fixed in later versions of Express, so the Gmail bridge is OK. The Gmail bridge is using Express 4, which is not vulnerable, while the Yahoo bridge and main site are on Express 2, which is. Compare, for example: https://yahoo.login.persona.org///evilzone.org/%2E%2E https://gmail.login.persona.org///evilzone.org/%2E%2E
Comment 18•9 years ago
|
||
This is a "low" rated security vulnerability on a site not on the list of available sites so I'm minusing this for bounty. If this winds up rated higher, please let us know.
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Keywords: sec-low → sec-moderate
Comment 19•9 years ago
|
||
Re-nominating for bounty so we can examine it again as the security rating has changed.
Flags: sec-bounty- → sec-bounty?
Assignee | ||
Comment 20•9 years ago
|
||
adding :ckarlof, I probably should have cc'd him onto this earlier just for context...
Comment 21•9 years ago
|
||
this is deployed to persona and the yahoo bridge in stage.
Flags: needinfo?(dthornton)
Assignee | ||
Comment 22•9 years ago
|
||
Thanks :relud! :callahad, do we have a standard QA testing procedure for stage?
Flags: needinfo?(dan.callahan)
Comment 23•9 years ago
|
||
(In reply to Ryan Kelly [:rfkelly] from comment #22) > do we have a standard QA testing procedure for stage? We used to have docs on WikiMo, but everything I can find there is way out of date. In the past, our testing regime was: - Unit tests from the repo (Travis does this) - Selenium tests from the repo (we had a SauceLabs account) - Load tests (run by QA, monitored by ops) - Manual smoke tests (run by QA) For a change of such small magnitude, as long as Travis is green, I'd just do some manual prodding and make sure things work before promoting. The stage environment lives at https://login.anosrep.org and https://yahoo.login.anosrep.org. The RP at http://beta.123done.org points to stage, so you can test there.
Flags: needinfo?(dan.callahan)
Assignee | ||
Comment 24•9 years ago
|
||
I successfully logged in to http://beta.123done.org using both a yahoo and non-yahoo account, and everything seemed to work fine. I clicked around in the https://login.anosrep.org a little and didn't notice anything out of place. And I confirmed that the following do not redirect, confirming the bug has been fixed: https://login.anosrep.org///evilzone.org/%2E%2E https://yahoo.login.anosrep.org///evilzone.org/%2E%2E That's about as much as I can do. Over to :stomlinson as the reviewer on those PRs, for any additional testing he considers appropriate.
Flags: needinfo?(stomlinson)
Comment 25•9 years ago
|
||
Testing all *seems* fine. My concerns: * I am unable to reproduce the original problem on prod. * I forget how to test Mozilla LDAP integration on stage. If we push and realize LDAP integration fails, a lot of folks will be unhappy. :callahad, do you remember how to test Mozilla LDAP on stage?
Flags: needinfo?(stomlinson) → needinfo?(dan.callahan)
Comment 26•9 years ago
|
||
Ahha, I am able to recreate the original problem on prod, thanks for the links callahad.
Comment 27•9 years ago
|
||
Since the IdPs are deliberately designed as independent entities, I'd go ahead and push this to prod. It shouldn't be possible for MozIdP to be broken so long as we have evidence that another IdP (Gmail, Yahoo, MockMyID, etc) works. (That's my polite way of saying "damn, I can't remember the staging MozIdP domain either")
Flags: needinfo?(dan.callahan)
Comment 28•9 years ago
|
||
mozidp doesn't work in staging, and hasn't for at least a year iirc
Assignee | ||
Comment 29•9 years ago
|
||
I'm hearing "shipit"; ni? shane for final merge on those PRs. (sorry for playing constant ni? tag in this bug but I think it's the only way to keep track of this as we all go about our day jobs...)
Flags: needinfo?(stomlinson)
Comment 30•9 years ago
|
||
(off topic: I've *really* liked the frequent ni? callouts here. Seems like it made things work exceptionally smoothly!)
Comment 31•9 years ago
|
||
I have merged the two PRs referenced in [1]. :relud, as keeper of the trains, are [2] and [3] needed as well? [1] - https://bugzilla.mozilla.org/show_bug.cgi?id=1208480#c15 [2] - https://github.com/mozilla/browserid_private/pull/35 [3] - https://github.com/mozilla/browserid-bigtent_private/pull/8
Flags: needinfo?(stomlinson) → needinfo?(dthornton)
Assignee | ||
Comment 33•9 years ago
|
||
We should merge them for completeness, but it can wait until after deploy. So IIUC the remaining tasks here are: * Deploy the now-updated branches to production * Merge [2] and [3] in the private repo * Copy all four branches back into the public repo * Make some sort of announcement?
Comment 34•9 years ago
|
||
for the first bullet: what kind of qa are we looking at for deploy time. Is 'Daniel can log in to gmail/mozilla/yahoo/fallback' sufficient for this one?
Comment 35•9 years ago
|
||
also, for timeline, assuming the above testing plan is sufficient, does tomorrow, 10/15/15, at 2pm PDT sound like an acceptable deploy time?
Comment 36•9 years ago
|
||
Above testing plan is good. I'll defer to Ryan on the time window.
Assignee | ||
Comment 37•9 years ago
|
||
SGTM
Reporter | ||
Comment 38•9 years ago
|
||
This seems to be fixed on my end : https://login.persona.org///evilzone.org/%2E%2E https://yahoo.login.persona.org///evilzone.org/%2E%2E https://gmail.login.persona.org///evilzone.org/%2E%2E
Comment 39•9 years ago
|
||
Excellent! Thanks a lot for the report, and thank you team for fixing it. I'm resolving as fixed, and the bounty team will reevaluate during their next pass.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 40•9 years ago
|
||
Thanks to all involved for pulling together to get this resolved. Just to ensure we tie up the lose ends here: > * Merge [2] and [3] in the private repo > * Copy all four branches back into the public repo I can take care of this; is there any reason to wait longer before doing so? > * Make some sort of announcement? :callahad, I think you're best positioned to advise on what we should do w.r.t. public communication here.
Flags: needinfo?(dan.callahan)
Comment 41•9 years ago
|
||
For public communication, we've tended to post on the Mozilla Security blog. E.g.,: https://blog.mozilla.org/security/2013/10/02/bug-bounty-program-finds-and-helps-resolve-security-vulnerability-in-persona/ https://blog.mozilla.org/security/2014/04/08/heartbleed-security-advisory/ I don't believe an open redirect quite rises to the bar of needing a public disclosure, but I'm happy to be overruled if your gut says otherwise. Either way, now that we're verified fixed in production and we've soaked for a few days without disruption, I think you can safely merge the private branches back into the public repos. One additional action: * Now that the bug is resolved, mark it as public?
Flags: needinfo?(dan.callahan)
Comment 42•9 years ago
|
||
Also, :rfkelly, I'm in favor of renaming the private repos to "pubname-private" instead of the codenames they have right now. Any objections before I up-and-do-it? GitHub does set up HTTP redirects, and access via git will continue to work as well.
Assignee | ||
Comment 43•9 years ago
|
||
> I'm in favor of renaming the private repos to "pubname-private" instead of the codenames
> they have right now. Any objections...
No objections.
Comment 44•9 years ago
|
||
(In reply to Dan Callahan [:callahad] from comment #41) > I don't believe an open redirect quite rises to the bar of needing a public > disclosure, but I'm happy to be overruled if your gut says otherwise. I would agree that posting on the security blog is overkill here.
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Assignee | ||
Comment 45•9 years ago
|
||
Merged to private repos at: persona: (future) https://github.com/mozilla/persona/commit/51a9de69a70fea2706adb87cdddd1e9f68090651 (train-2014.07.19) https://github.com/mozilla/persona/commit/c4425d8e22db9cef8d0038882c1e09ae7511a028 persona-yahoo-bridge: (master) https://github.com/mozilla/persona-yahoo-bridge/commit/2b8698177bf9660b5cb5e54c4c6ac455effccafb (train-2013.05.29-hotfix-9-24v3) https://github.com/mozilla/persona-yahoo-bridge/commit/29e0212efdb593e5481f308317424378f05d2610
Assignee | ||
Comment 46•9 years ago
|
||
> I would agree that posting on the security blog is overkill here. I'm happy with that. If it's sec-bounty+ it feels like we should say something *somewhere* but I don't have an appropriate forum to suggest, so I'm going to leave it alone. > One additional action: > * Now that the bug is resolved, mark it as public? I don't have the necessary privs to do that; :ulfr?
Updated•9 years ago
|
Group: websites-security
Reporter | ||
Updated•9 years ago
|
Summary: persona.org vulnerable to Open redirect vulnreability → persona.org vulnerable to Open redirect vulnerability
You need to log in
before you can comment on or make changes to this bug.
Description
•