Closed
Bug 837444
Opened 11 years ago
Closed 11 years ago
Multiple vulnerabilities on getfirefox.com name server
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task, P2)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: asedwards710, Assigned: bburton)
References
()
Details
(Keywords: sec-moderate)
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 Steps to reproduce: Scanned and found multiple vulnerabilities: getfirefox.com server 64.13.141.6 vulnerabilities Cross Site Scripting: url: http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E url: http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E url: http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E url: http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E parimeter name: URI-Based Parameter Type: FullUrl (phishing attacks, man in the middle attacks, and session hijacking) PHP Source Code Disclosure: url: http://64.13.141.6/packages/openssl-1.0.0_5.tbz (possibly gives access to databases and admin tools and can increase further attacks) OpenSSL Version Disclosure: Version: 1.0.0d (can be used to find version specific vulnerabilities) Trace/Track Identified: (further increases possibility of an XSS attack) Apache Version Disclosure: version: 2.2.18 (can be used to find version specific vulnerabilities) Apache Module Version Disclosure: version: mod_ssl/2.2.18 OpenSSL/1.0.0d (can be used to find version specific vulnerabilities) Actual results: getfirefox.com server 64.13.141.6 vulnerabilities Cross Site Scripting: url: http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E url: http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E url: http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E url: http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E parimeter name: URI-Based Parameter Type: FullUrl (phishing attacks, man in the middle attacks, and session hijacking) PHP Source Code Disclosure: url: http://64.13.141.6/packages/openssl-1.0.0_5.tbz (possibly gives access to databases and admin tools and can increase further attacks) OpenSSL Version Disclosure: Version: 1.0.0d (can be used to find version specific vulnerabilities) Trace/Track Identified: (further increases possibility of an XSS attack) Apache Version Disclosure: version: 2.2.18 (can be used to find version specific vulnerabilities) Apache Module Version Disclosure: version: mod_ssl/2.2.18 OpenSSL/1.0.0d (can be used to find version specific vulnerabilities) Expected results: No cross site scripting, no php source code disclosure, no Trace/Track, no Apache or OpenSSL version disclosures.
|
Reporter | |
Updated•11 years ago
|
URL: http://64.13.141.6
|
||
Comment 1•11 years ago
|
||
Nameservers for getfirefox.com:
ns.meer.net
ns.mozilla.org
Ugh.
Please update to ns[123].mozilla.org and confirm other domains aren't using ns.meer.net or ns.mozilla.org.Assignee: nobody → server-ops-infra
Group: core-security → websites-security
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Server Operations: Infrastructure
Ever confirmed: true
OS: Windows XP → All
Product: Core → mozilla.org
QA Contact: jdow
Hardware: x86 → All
Version: unspecified → other
|
|
||
Comment 2•11 years ago
|
||
$ host getfirefox.com ns.meer.net Using domain server: Name: ns.meer.net Address: 64.13.141.6#53 Aliases: Host getfirefox.com not found: 5(REFUSED)
|
||
Updated•11 years ago
|
Assignee: server-ops-infra → mburns
|
|
||
Updated•11 years ago
|
Assignee: mburns → server-ops-infra
Flags: sec-bounty?
|
|
||
Updated•11 years ago
|
Assignee: server-ops-infra → mburns
|
|
||
Updated•11 years ago
|
Assignee: mburns → server-ops-infra
|
Assignee | |
Comment 4•11 years ago
|
||
(In reply to Andrew S. Edwards from comment #0) > User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like > Gecko) Chrome/24.0.1312.57 Safari/537.17 > > Steps to reproduce: > > Scanned and found multiple vulnerabilities: > getfirefox.com server 64.13.141.6 vulnerabilities > > Cross Site Scripting: > url: > http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E > url: > http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E > url: > http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E > url: > http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E > parimeter name: URI-Based > Parameter Type: FullUrl > (phishing attacks, man in the middle attacks, and session hijacking) > > PHP Source Code Disclosure: > url: > http://64.13.141.6/packages/openssl-1.0.0_5.tbz > (possibly gives access to databases and admin tools and can increase further > attacks) > > OpenSSL Version Disclosure: > Version: 1.0.0d > (can be used to find version specific vulnerabilities) > > Trace/Track Identified: > (further increases possibility of an XSS attack) > > Apache Version Disclosure: > version: 2.2.18 > (can be used to find version specific vulnerabilities) > > Apache Module Version Disclosure: > version: mod_ssl/2.2.18 OpenSSL/1.0.0d > (can be used to find version specific vulnerabilities) > > > Actual results: > > getfirefox.com server 64.13.141.6 vulnerabilities > > Cross Site Scripting: > url: > http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E > url: > http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E > url: > http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E > url: > http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/ > script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E > parimeter name: URI-Based > Parameter Type: FullUrl > (phishing attacks, man in the middle attacks, and session hijacking) > > PHP Source Code Disclosure: > url: > http://64.13.141.6/packages/openssl-1.0.0_5.tbz > (possibly gives access to databases and admin tools and can increase further > attacks) > > OpenSSL Version Disclosure: > Version: 1.0.0d > (can be used to find version specific vulnerabilities) > > Trace/Track Identified: > (further increases possibility of an XSS attack) > > Apache Version Disclosure: > version: 2.2.18 > (can be used to find version specific vulnerabilities) > > Apache Module Version Disclosure: > version: mod_ssl/2.2.18 OpenSSL/1.0.0d > (can be used to find version specific vulnerabilities) > > > Expected results: > > No cross site scripting, no php source code disclosure, no Trace/Track, no > Apache or OpenSSL version disclosures. 1. 64.13.141.6 is not a Mozilla IP, so if that is the vulnerable server it's not ours 2. The DNS nameservers are wrong and I am looking into those
Assignee: server-ops-infra → server-ops-webops
Severity: major → normal
Component: Server Operations: Infrastructure → Server Operations: Web Operations
Priority: -- → P2
QA Contact: jdow → nmaul
|
|
Assignee | |
Updated•11 years ago
|
Assignee: server-ops-webops → bburton
|
|
Assignee | |
Comment 5•11 years ago
|
||
Nameserver update to NS[1-3].MOZILLA.ORG submitted to MarkMonitor, will confirm when live in whois info
Status: NEW → ASSIGNED
|
|
||
Comment 6•11 years ago
|
||
(In reply to Brandon Burton [:solarce] from comment #4) > 1. 64.13.141.6 is not a Mozilla IP, so if that is the vulnerable server it's > not ours ns.meer.net is 64.13.141.6 > 2. The DNS nameservers are wrong and I am looking into those ... which is why that IP being vulnerable *does* matter, considering if somebody were to get access to that server (via the vulnerabilities mentioned in comment #0 or other problems), such an attacker could point getfirefox.com to something nefarious (such as a malicious Firefox download).
|
|
Assignee | |
Comment 7•11 years ago
|
||
Our hosting for getfirefox.org is only a virtual host with a redirect on our static cluster # Bug 688019 <VirtualHost *:80> ServerName getfirefox.org ServerAlias www.getfirefox.org Redirect / http://www.mozilla.org/firefox/ </VirtualHost> So I do not believe that this site on Mozilla infra is vulnerable, but that the server at 64.13.141.6 is, which is not owned or controlled by us. DNS is now correct in whois bburton@voltaire [06:42:41] [~] -> % whois getfirefox.org | grep -A3 'Name Server' Name Server:NS1.MOZILLA.ORG Name Server:NS2.MOZILLA.ORG Name Server:NS3.MOZILLA.ORG
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 8•11 years ago
|
||
➜ ~ dig getfirefox.org ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> getfirefox.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7698 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;getfirefox.org. IN A ;; ANSWER SECTION: getfirefox.org. 300 IN A 63.245.217.181 ;; Query time: 135 msec ;; SERVER: 69.64.44.20#53(69.64.44.20) ;; WHEN: Sun Feb 3 03:44:18 2013 ;; MSG SIZE rcvd: 48
|
|
||
Comment 9•11 years ago
|
||
(In reply to Brandon Burton [:solarce] from comment #7) > Our hosting for getfirefox.org is only a virtual host with a redirect on our > static cluster getfirefox.com is the problem, not .org... I checked .org already, and it had the correct nameservers. > So I do not believe that this site on Mozilla infra is vulnerable, but that > the server at 64.13.141.6 is, which is not owned or controlled by us. Yes, see again comment #6 as to why this would still be considered a security vulnerability. :) > DNS is now correct in whois Again, .com, not .org, but I can confirm that .com now shows the correct nameservers. $ whois getfirefox.com | grep 'Name Server' Name Server: NS1.MOZILLA.ORG Name Server: NS2.MOZILLA.ORG Name Server: NS3.MOZILLA.ORG Thanks for the quick response. Opening this bug.
Group: websites-security
|
|
Assignee | |
Comment 10•11 years ago
|
||
(In reply to Reed Loden [:reed] from comment #9) > (In reply to Brandon Burton [:solarce] from comment #7) > > Our hosting for getfirefox.org is only a virtual host with a redirect on our > > static cluster > > getfirefox.com is the problem, not .org... I checked .org already, and it > had the correct nameservers. > > > So I do not believe that this site on Mozilla infra is vulnerable, but that > > the server at 64.13.141.6 is, which is not owned or controlled by us. > > Yes, see again comment #6 as to why this would still be considered a > security vulnerability. :) > > > DNS is now correct in whois > > Again, .com, not .org, but I can confirm that .com now shows the correct > nameservers. > > $ whois getfirefox.com | grep 'Name Server' > Name Server: NS1.MOZILLA.ORG > Name Server: NS2.MOZILLA.ORG > Name Server: NS3.MOZILLA.ORG > > Thanks for the quick response. Opening this bug. I mid-aired on your comment, did not mean not to acknowledge it though, yes I completely understand and agree, have a good night, happy to help
|
|
Assignee | |
Comment 11•11 years ago
|
||
For completeness, getfirefox.com has a similar setup to getfirefox.org, just redirects in apache
<VirtualHost *:80>
ServerName getfirefox.com
ServerAlias www.getfirefox.com mozillafirefox.com www.mozillafirefox.com \
firefoxbrowser.com www.firefoxbrowser.com firefoxbrowser.org www.firefoxbrowser.org
Redirect permanent /Firefox_3 http://www.mozilla.org/firefox/
Redirect permanent /beta http://www.mozilla.org/firefox/channel
Redirect permanent /nightly http://nightly.mozilla.org
RedirectMatch permanent .* http://www.mozilla.org/firefox/?from=getfirefox
ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/getfirefox/error_log_%Y-%m-%d 86400 -480"
CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/getfirefox/access_%Y-%m-%d 86400 -480" combined
</VirtualHost>
|
||
Updated•11 years ago
|
Keywords: sec-moderate
|
|
||
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Comment 13•11 years ago
|
||
The bounty committee has decided pay out on the bug. Although the nameserver and IP are not owned by Mozilla. This bug exposed a misconfiguration on our side which could potentially lead to spoofing of the getfirefox.com site. This would require a compromise of the ns.meer.net server as :reed mentioned.
|
||
Updated•11 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
|
||
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•