Closed Bug 1033068 Opened 11 years ago Closed 10 years ago

The "unknown_action" error message could confuse the user

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.4

People

(Reporter: mr.trizaeron, Assigned: LpSolit)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [site:bugzilla.mozilla.org][reporter-external])

Attachments

(1 file)

patch, v1
691 bytes, patch
dkl
: review+
Details | Diff | Splinter Review
Hi, I believe this is a security issue. When users can tamper values of a parameter. This can be used against phising attacks and other malicious intent. https://bugzilla.mozilla.org/token.cgi?t=Fix5Zg6LDl&a=,in%20order%20for%20it%20to%20be%20completed,%20please%20go%20to%20maliciousurl.com%20to%20recover%20your%20account. As of the URL above, the "a" parameter can be modified in any text a malicious user wanted to. In my case, I choose to make use of the pre made error message "Unknown action" and added further message: ,in order for it to be completed, please go to maliciousurl.com to recover your account.! Another thing is, the text is pretty catch since it is inside an error message. Should be considered as well, the link would not expire unless the email address is confirmed. ( hyperlink is from the intended, email address confirmation ) Kindly have a look sir. http://i.imgur.com/4rfYGzq.png Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.
This might be a dupe. I'll look more into it
Group: mozilla-services-security → bugzilla-security
Status: UNCONFIRMED → NEW
Component: Web Site → General
Ever confirmed: true
Flags: sec-bounty?
OS: Windows 8 → All
Product: Mozilla Services → bugzilla.mozilla.org
Hardware: x86_64 → All
Whiteboard: [site:bugzilla.mozilla.org][reporter-external]
Version: unspecified → Production
See Also: → 850546
Hi, https://bugzilla.mozilla.org/show_bug.cgi?id=850546 I believe the report is different from my report. We have different parameters in the first place, and that specified report is already mitigated I believe. A 404 page is showing :) Thank you. Kindly have a look. Cheers, Clifford
The 404 page is an enhancement that both Mozilla and Red Hat use (and maybe others). Upstream considered it, but it was CLOSED. See https://bugzilla.mozilla.org/show_bug.cgi?id=850546#c6 . This is not a problem specific to Bugzilla. You can generate this error with an web page on a default Apache configuration. FWIW, I consider this NOTABUG.
Agreed. #NOTABUG :D
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Sorry I didn't mean to imply that this bug is a dupe of the other bug. They are different bugs. I believe this is a valid bug Simon: Was your not a bug comment directed at this bug or the 404 one?
Sorry, I just observe that I am talking to 2 different users. New to mOzilla bugzilla, my bad. Content Spoofing would be a valid bug, if so, can I have a timeline of when this would be fixed? And let me know if this goes considered for a reward? Thank you both.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Okay, I've reread the bug and it is slightly different than the 404 issue, but I still don't think it is a valid bug. There are many places where we can show the input from the user in the output. This output is always filtered (i.e. you can't put HTML or Javascript in the output), and that is why I do not think it is a bug.
On personal standpoint, there is indeed a bug. The text injected is reflected on the page which I believe can last long before it expire. Since, the link just expires if an email address is successfully confirmed. The pre-text "Unknown action" can also be modified, used to convey more catchy message to deceive a victim. I can also encode the URL in order the victim to not recognize it. Whilst I can not input HTML or any other code, you can not disagree that a text which is catchy ( red background ) can convey deceiving message towards a not so technical user ( technical users too! ) A risk of a message with malicious intent is worth a fix I believe ( again ) Thank you! Clifford
this isn't BMO specific, moving to upstream. regarding the issue itself, i don't think there's a security risk here - and if there were it would be sec-low to match bug 850546. we have to weight up the risks of echoing user-provided content in error messages against the usability this provides, and in this case i think usability trumps the risk.
Alias: Trizaeron
Assignee: nobody → general
Component: General → Bugzilla-General
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → unspecified
Hello, I acknowledges your view in here sir, but I humbly suggest, security weighs more than usability here. Id like to comment my thought again, a design issue, a victim may fall that the website content within mozilla.org is a legitimate information. A user supplied content should not be echoed that way - it really looks like legit. But then again, the decision still falls to the security team. Thanks! Clifford
(In reply to Clifford Trigo from comment #10) > But then again, the decision still falls to the security team. i'm a member of the bugzilla security team, as is sgreen.
Hello, Was referring to all of you guys (as security team ). Thanks again for taking a look :D Best regards, Clifford
Btw, how can we set this report to public sir? Thanks.
Bug set to public at reporter's request (comment 13). This particular instance is certainly fixable; the set of actions is small and known, and probably fits a regexp of "\w", so we could just restrict the error to showing actions which matched that. Also, "unknown action" should surely be a ThrowCodeError(), which I seem to remember says stuff like "please report this to the admin", which would make the spoof work a lot less well. The question is whether we want to fix all instances of the same thing. Gerv
Group: bugzilla-security
Looking forward of a fix :) Cheers, Clifford
(In reply to Gervase Markham [:gerv] from comment #14) > Also, "unknown action" should surely be a ThrowCodeError() No, it shouldn't. Because this error is usually triggered by users trying to play with Bugzilla. IMO, the right fix is simply to display: "We couldn't figure what you tried to do"
Severity: normal → minor
Priority: P1 → --
this is not eligible for a bounty due to the low security rating.
Flags: sec-bounty? → sec-bounty-
Summary: Content spoofing in Bugzilla → The "unknown_action" error message could confuse the user
Attached patch patch, v1Splinter Review
Adding quotes around the name of the action and truncating it at 20 characters makes the error message unambiguous.
Assignee: general → LpSolit
Status: REOPENED → ASSIGNED
Attachment #8508593 - Flags: review?(dkl)
To test the patch, you can use the testcase I pasted in the URL field, which doesn't require any token.
URL: https://landfill.bugzilla.org/bugzill...
Target Milestone: --- → Bugzilla 4.4
Comment on attachment 8508593 [details] [diff] [review] patch, v1 Review of attachment 8508593 [details] [diff] [review]: ----------------------------------------------------------------- Works as expected. r=dkl
Attachment #8508593 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.4?
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 226b92c..e50bddb master -> master To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 9ca7310..aa689e5 4.4 -> 4.4
Status: ASSIGNED → RESOLVED
Closed: 11 years ago10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: