Closed
Bug 620476
Opened 14 years ago
Closed 13 years ago
Allowing redirect to external site using network-path reference (signin?return=//example.com)
Categories
(Websites Graveyard :: getpersonas.com, defect)
Websites Graveyard
getpersonas.com
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: janmoesen_=-bugzilla-=+spamtrap, Assigned: chenba)
References
()
Details
(Whiteboard: [infrasec:input][ws:high])
Attachments
(3 files, 1 obsolete file)
441 bytes,
patch
|
telliott
:
review+
|
Details | Diff | Splinter Review |
809.09 KB,
image/png
|
Details | |
459 bytes,
patch
|
telliott
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b9pre) Gecko/20101218 Firefox/4.0b9pre Build Identifier: A GetPersonas.com user can be tricked into going to an external site by using a scheme-less value for the "return" parameter. For instance, example.com/signin hosts a copy of the GetPersonas.com sign-in page, but claims the password was incorrect and steals the user's credentials on his/her subsequent sign-in attempt. Background: http://tools.ietf.org/html/rfc3986#section-4.2 Reproducible: Always
Updated•14 years ago
|
Whiteboard: [ws:need triage]
Updated•14 years ago
|
Whiteboard: [ws:need triage] → [infrasec:input][ws:moderate]
Comment 2•14 years ago
|
||
The POC does not appear to work in FF3.6 or FF4b8. https://www.getpersonas.com/en-US/signin?return=%252F%252Fgoo.gl Can you revisit and provide steps to reproduce this issue?
Updated•14 years ago
|
Whiteboard: [infrasec:input][ws:moderate] → [infrasec:input][ws:moderate] need info
Updated•14 years ago
|
Whiteboard: [infrasec:input][ws:moderate] need info → [infrasec:input][ws:need triage]
Comment 4•14 years ago
|
||
Confirmed. This issue is pervasive throughout getpersonas. The fundamental problem here is accepting and trusting user data from the "return" parameter.
Updated•14 years ago
|
Whiteboard: [infrasec:input][ws:need triage] → [infrasec:input][ws:high]
Comment 5•13 years ago
|
||
You can see what we did for remora at http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/users_controller.php?view=markup#l320 although it sounds like the problem here is that it isn't prepending the hostname.
Assignee: nobody → chenba
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 6•13 years ago
|
||
Remove white spaces and not allow // in the 'return' param.
Attachment #506347 -
Flags: review?
Assignee | ||
Comment 7•13 years ago
|
||
This patch removes white spaces for real.
Attachment #506347 -
Attachment is obsolete: true
Attachment #506348 -
Flags: review?
Attachment #506347 -
Flags: review?
Updated•13 years ago
|
Attachment #506348 -
Flags: review? → review?(telliott)
Updated•13 years ago
|
Attachment #506348 -
Flags: review?(telliott) → review+
Assignee | ||
Comment 8•13 years ago
|
||
Committed @ r81656
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 9•13 years ago
|
||
Hi Jan, Please check e-mail from chofmann@mozilla.com for bounty information on this bug.
First case from bug 630450: [15:45:49.770] GET https://personas.stage.mozilla.com/en-US/signin?action=signout&return=//www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards [HTTP/1.1 302 Found 70ms] [15:45:49.841] GET https://personas.stage.mozilla.com/?signout_success=1 [HTTP/1.1 302 Found 20ms] [15:45:49.872] GET https://personas.stage.mozilla.com/en-US/?signout_success=1 [HTTP/1.1 200 OK 16ms] Second case from bug 630450: [15:49:14.989] GET https://personas.stage.mozilla.com/en-US/signin?return=//attacker.in [HTTP/1.1 200 OK 20ms] [15:49:19.480] POST https://personas.stage.mozilla.com/en-US/signin [HTTP/1.1 302 Found 18ms] [15:49:19.556] GET https://personas.stage.mozilla.com/ [HTTP/1.1 302 Found 27ms] [15:49:19.621] GET https://personas.stage.mozilla.com/en-US/ [HTTP/1.1 200 OK 85ms] Verified FIXED.
Status: RESOLVED → VERIFIED
Comment 14•13 years ago
|
||
The patch is incomplete. I recommend prepending a "/" to the the return_url. Testcase https://personas.stage.mozilla.com/en-US/signin?action=signout&return=a:data:text/html,%3Chtml%3E%3Cscript%3Ewindow.location=%22http:!!www.mozilla.org%22.replace(/!/g,%22/%22)%3C/script%3E%3C/html%3E
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Updated•13 years ago
|
Attachment #509685 -
Flags: review?(telliott) → review+
Assignee | ||
Comment 16•13 years ago
|
||
committed @ r82098
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
The URLs from bug 630450 now work just fine: 1) https://www.getpersonas.com/en-US/signin?action=signout&return=//www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards 2) https://www.getpersonas.com/en-US/signin?return=//attacker.in 3) https://www.getpersonas.com/data:text/html,%3Chtml%3E%3Cscript%3Ewindow.location=%22http:!!www.mozilla.org%22.replace%28/!/g,%22/%22%29%3C/script%3E%3C/html%3E?signout_success=1 yields the following: Not Found The requested URL /data:text/html,<html><script>window.location="http:!!www.mozilla.org".replace(/!/g,"/")</script></html> was not found on this server. ...which I think is right? David?
Comment 18•13 years ago
|
||
Yes, the expected behavior is that the link does not redirect outside of getpersonas. The redirect happens to result in a 404 in this case. Changing to VERIFIED
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: websites-security
Updated•11 years ago
|
Product: Websites → Websites Graveyard
Updated•11 years ago
|
Flags: sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•