Closed
Bug 1426475
Opened 7 years ago
Closed 6 years ago
Make unknown bug id / alias error message more obvious to prevent content spoofing
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: cehmanish, Assigned: dylan)
References
()
Details
(Keywords: sec-low, wsec-injection, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(3 files)
Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user's trust. Content spoofing is an attack that is closely related to Cross-site Scripting (XSS). While XSS uses <script> and other techniques to run JavaScript, content spoofing uses other techniques to modify the page for malicious reasons. Even if XSS mitigation techniques are used within the web application, such as proper output encoding, the application can still be vulnerable to text based content spoofing attacks. ** 1. In buzilla.mozilla.org application, The given URL "https://bugzilla.mozilla.org/show_bug.cgi?id=" accept value of parameter "id" as only numeric value but here an attacker can pass any string of any length. 2. The attacker-supplied string reflected in the response body (inside the anchor tag, inside form action url etc ). 3. The application is protected by XSS but the attacker can supply payload as simple text. 4. The simple text injection (spoofing ) can perform any phishing type of attacker because of user trust on bugzilla.mozilla.org application. 5. The attacker can inject these type of text : i. The Site is temporary down, please visite victim web site. ii. The website contains virus and malware. iii. any phishing message that asks to visit any third party site and enter Mozilla credential. 6. The text injection is possible using get parameter so possibility and impact become high. 7. parameter also accept CRLF (%0a & %0d) inside text injection and also use it. 8. Use this vulnerability attacker can also perform denial of service (DOS) at BMO server because application performs operation on attacker supplied data. So It is best practices to validate user-supplied data before use.
Flags: sec-bounty?
Comment 1•7 years ago
|
||
gutpa: thanks for your report. In many application this is possible with the default Apache 404 page, but in this case the application is attempting to handle things a bit more cleanly adding a bit of legitimacy to such an attack. I will raise with the bugzilla team and I suspect it's reasonable actionable to contrain the input to valid bug IDs and not support text... An example PoC, that an attacker might actually use could look something like this, to force the error text off the users screen... https://bugzilla.mozilla.org/show_bug.cgi?id=Warning%20we%27ve%20moved%20to%20JIRA%20instead%20of%20bugzilla,%20please%20use%20evil.com%20instead,%20please%20also%20read%20our%20really%20long%20terms%20of%20service%20to%20wipe%20the%20bug%20is%20no%20longer%20valid%20off%20the%20screen%20The%20standard%20Lorem%20Ipsum%20passage,%20used%20since%20the%201500s%22Lorem%20ipsum%20dolor%20sit%20amet,%20consectetur%20adipiscing%20elit,%20sed%20do%20eiusmod%20tempor%20incididunt%20ut%20labore%20et%20dolore%20magna%20aliqua.%20Ut%20enim%20ad%20minim%20veniam,%20quis%20nostrud%20exercitation%20ullamco%20laboris%20nisi%20ut%20aliquip%20ex%20ea%20commodo%20consequat.%20Duis%20aute%20irure%20dolor%20in%20reprehenderit%20in%20voluptate%20velit%20esse%20cillum%20dolore%20eu%20fugiat%20nulla%20pariatur.%20Excepteur%20sint%20occaecat%20cupidatat%20non%20proident,%20sunt%20in%20culpa%20qui%20officia%20deserunt%20mollit%20anim%20id%20est%20laborum.%22Section%201.10.32%20of%20%22de%20Finibus%20Bonorum%20et%20Malorum%22,%20written%20by%20Cicero%20in%2045%20BC%22Sed%20ut%20perspiciatis%20unde%20omnis%20iste%20natus%20error%20sit%20voluptatem%20accusantium%20doloremque%20laudantium,%20totam%20rem%20aperiam,%20eaque%20ipsa%20quae%20ab%20illo%20inventore%20veritatis%20et%20quasi%20architecto%20beatae%20vitae%20dicta%20sunt%20explicabo.%20Nemo%20enim%20ipsam%20voluptatem%20quia%20voluptas%20sit%20aspernatur%20aut%20odit%20aut%20fugit,%20sed%20quia%20consequuntur%20magni%20dolores%20eos%20qui%20ratione%20voluptatem%20sequi%20nesciunt.%20Neque%20porro%20quisquam%20est,%20qui%20dolorem%20ipsum%20quia%20dolor%20sit%20amet,%20consectetur,%20adipisci%20velit,%20sed%20quia%20non%20numquam%20eius%20modi%20tempora%20incidunt%20ut%20labore%20et%20dolore%20magnam%20aliquam%20quaerat%20voluptatem.%20Ut%20enim%20ad%20minima%20veniam,%20quis%20nostrum%20exercitationem%20ullam%20corporis%20suscipit%20laboriosam,%20nisi%20ut%20aliquid%20ex%20ea%20commodi%20consequatur?%20Quis%20autem%20vel%20eum%20iure%20reprehenderit%20qui%20in%20ea%20voluptate%20velit%20esse%20quam%20nihil%20molestiae%20consequatur,%20vel%20illum%20qui%20dolorem%20eum%20fugiat%20quo%20voluptas%20nulla%20pariatur?%221914%20translation%20by%20H.%20Rackham%22But%20I%20must%20explain%20to%20you%20how%20all%20this%20mistaken%20idea%20of%20denouncing%20pleasure%20and%20praising%20pain%20was%20born%20and%20I%20will%20give%20you%20a%20complete%20account%20of%20the%20system,%20and%20expound%20the%20actual%20teachings%20of%20the%20great%20explorer%20of%20the%20truth,%20the%20master-builder%20of%20human%20happiness.%20No%20one%20rejects,%20dislikes,%20or%20avoids%20pleasure%20itself,%20because%20it%20is%20pleasure,%20but%20because%20those%20who%20do%20not%20know%20how%20to%20pursue%20pleasure%20rationally%20encounter%20consequences%20that%20are%20extremely%20painful.%20Nor%20again%20is%20there%20anyone%20who%20loves%20or%20pursues%20or%20desires%20to%20obtain%20pain%20of%20itself,%20because%20it%20is%20pain,%20but%20because%20occasionally%20circumstances%20occur%20in%20which%20toil%20and%20pain%20can%20procure%20him%20some%20great%20pleasure.%20To%20take%20a%20trivial%20example,%20which%20of%20us%20ever%20undertakes%20laborious%20physical%20exercise,%20except%20to%20obtain%20some%20advantage%20from%20it?%20But%20who%20has%20any%20right%20to%20find%20fault%20with%20a%20man%20who%20chooses%20to%20enjoy%20a%20pleasure%20that%20has%20no%20annoying%20consequences,%20or%20one%20who%20avoids%20a%20pain%20that%20produces%20no%20resultant%20pleasure?%22Section%201.10.33%20of%20%22de%20Finibus%20Bonorum%20et%20Malorum%22,%20written%20by%20Cicero%20in%2045%20BC%22At%20vero%20eos%20et%20accusamus%20et%20iusto%20odio%20dignissimos%20ducimus%20qui%20blanditiis%20praesentium%20voluptatum%20deleniti%20atque%20corrupti%20quos%20dolores%20et%20quas%20molestias%20excepturi%20sint%20occaecati%20cupiditate%20non%20provident,%20similique%20sunt%20in%20culpa%20qui%20officia%20deserunt%20mollitia%20animi,%20id%20est%20laborum%20et%20dolorum%20fuga.%20Et%20harum%20quidem%20rerum%20facilis%20est%20et%20expedita%20distinctio.%20Nam%20libero%20tempore,%20cum%20soluta%20nobis%20est%20eligendi%20optio%20cumque%20nihil%20impedit%20quo%20minus%20id%20quod%20maxime%20placeat%20facere%20possimus,%20omnis%20voluptas%20assumenda%20est,%20omnis%20dolor%20repellendus.%20Temporibus%20autem%20quibusdam%20et%20aut%20officiis%20debitis%20aut%20rerum%20necessitatibus%20saepe%20eveniet%20ut%20et%20voluptates%20repudiandae%20sint%20et%20molestiae%20non%20recusandae.%20Itaque%20earum%20rerum%20hic%20tenetur%20a%20sapiente%20delectus,%20ut%20aut%20reiciendis%20voluptatibus%20maiores%20alias%20consequatur%20aut%20perferendis%20doloribus%20asperiores%20repellat.%221914%20translation%20by%20H.%20Rackham%22On%20the%20other%20hand,%20we%20denounce%20with%20righteous%20indignation%20and%20dislike%20men%20who%20are%20so%20beguiled%20and%20demoralized%20by%20the%20charms%20of%20pleasure%20of%20the%20moment,%20so%20blinded%20by%20desire,%20that%20they%20cannot%20foresee%20the%20pain%20and%20trouble%20that%20are%20bound%20to%20ensue;%20and%20equal%20blame%20belongs%20to%20those%20who%20fail%20in%20their%20duty%20through%20weakness%20of%20will,%20which%20is%20the%20same%20as%20saying%20through%20shrinking%20from%20toil%20and%20pain.%20These%20cases%20are%20perfectly%20simple%20and%20easy%20to%20distinguish.%20In%20a%20free%20hour,%20when%20our%20power%20of%20choice%20is%20untrammelled%20and%20when%20nothing%20prevents%20our%20being%20able%20to%20do%20what%20we%20like%20best,%20every%20pleasure%20is%20to%20be%20welcomed%20and%20every%20pain%20avoided.%20But%20in%20certain%20circumstances%20and%20owing%20to%20the%20claims%20of%20duty%20or%20the%20obligations%20of%20business%20it%20will%20frequently%20occur%20that%20pleasures%20have%20to%20be%20repudiated%20and%20annoyances%20accepted.%20The%20wise%20man%20therefore%20always%20holds%20in%20these%20matters%20to%20this%20principle%20of%20selection:%20he%20rejects%20pleasures%20to%20secure%20other%20greater%20pleasures,%20or%20else%20he%20endures%20pains%20to%20avoid%20worse%20pains.
Updated•7 years ago
|
Keywords: sec-low,
wsec-injection
Comment 2•7 years ago
|
||
:dylan - what's your take on this?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dylan)
Assignee | ||
Updated•7 years ago
|
Group: websites-security → bugzilla-security
Status: NEW → UNCONFIRMED
Component: Other → General
Ever confirmed: false
Product: Websites → bugzilla.mozilla.org
Version: unspecified → Production
Assignee | ||
Comment 3•7 years ago
|
||
I'm going to take this only because it is trivial to fix.
Assignee: nobody → dylan
Flags: needinfo?(dylan)
Assignee | ||
Comment 4•7 years ago
|
||
Incoming patch, makes it look like this
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8938139 -
Flags: review?(dkl)
Comment 6•7 years ago
|
||
I would personally only have it say that it doesn't look like a valid bug number. No need to reflect any text back at all, since there is no reason for the id to be anything but a number.
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to April King [:April] from comment #6) > I would personally only have it say that it doesn't look like a valid bug > number. No need to reflect any text back at all, since there is no reason > for the id to be anything but a number. Bugs can be words. https://bugzilla.mozilla.org/show_bug.cgi?id=bmo-emoji
Thanks Dylan. Generally 'id' should be only numeric value but here may be some business requirements that's why Mozilla use 'id' as words(text). But actually problem is that application accept 'id' as string(numeric,text and special character) and perform operation on it. ie, if 'id' is not valid then it reflect same user supplied text in response body. So it is not best practices to reflect back user supplied data.But we can mitigate this issue by simple showing message that "User Supply id is not valid" instead of showing 'id' name. (As we already done in '404 Not Found page'). Thanks Bugzilla team
Flags: needinfo?(dylan)
Assignee | ||
Comment 9•7 years ago
|
||
Did anyone here actually look at the screenshot I attached?
Flags: needinfo?(dylan)
Assignee | ||
Comment 10•7 years ago
|
||
In short in this patch the string is canonicalized and the missing title is added. Also the wording of the error is changed to be more like the examples given in the photon design document.
Comment 11•7 years ago
|
||
:dylan - I saw the screenshot and it looks like a net improvement to me (ie. harder to hide spoof content). I think April/gupta are simply saying "it could be better if" and would ideally remove all doubt of content spoofing if we didn't reflect the input, but ultimately this is your call.
Comment 12•7 years ago
|
||
Indeed. It's certainly a big improvement over what we currently have. My comment was merely that there's no real valid reason for somebody to have an invalid id aside from content spoofing, so perhaps it doesn't make sense to reflect it at all. But if you prefer having some indication of what the ID was set to, then you've totally got my r+.
Assignee | ||
Comment 13•7 years ago
|
||
Invalid ones happen all the time, as aliases are very mutable, and typos are possible. I have analytics backing that the errors happen pretty frequently. And not just when the bug reporter was testing this.
Assignee | ||
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 14•6 years ago
|
||
Comment on attachment 8938139 [details] [diff] [review] 1426475_1.patch Review of attachment 8938139 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8938139 -
Flags: review?(dkl) → review+
Assignee | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Summary: Content Injection (Spoofing) Vulnerability in bugzilla.mozilla.org web application → Make unknown bug id / alias error message more obvious to prevent content spoofing
Assignee | ||
Comment 15•6 years ago
|
||
This will go out tomorrow morning.
Assignee | ||
Updated•6 years ago
|
Group: bugzilla-security
Updated•6 years ago
|
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
Reporter | ||
Comment 16•6 years ago
|
||
Hi jonathan, this new find is eligible for bounty or Hof ? Thanks
Comment 17•6 years ago
|
||
gupta: The impact isn't high enough to warrant paid bounty based on our guidelines (https://www.mozilla.org/en-US/security/web-bug-bounty/). However, we did talk about this a bit on Monday and decided that this is worth a hall of fame mention because of how the application was handling the content injection, which is fundamentally different than most content injections we see due to the application trying to handle the error condition more elegantly. The hall of fame list is updated on a quarterly basis, so expect some time before your name is posted here (https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/)
Comment 18•6 years ago
|
||
Gupta, can you let us how how you would like to be credited on the HoF? If you have a link, we can include that as well.
Reporter | ||
Comment 19•6 years ago
|
||
Thanks April, Can you please include given below information for HOF : Manish Gupta ( https://www.linkedin.com/in/cehmanish/ ) Thanks Mozilla
You need to log in
before you can comment on or make changes to this bug.
Description
•