Closed Bug 1036213 (CVE-2014-1546) Opened 5 years ago Closed 5 years ago

[SECURITY] Add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability

Categories

(Bugzilla :: WebService, defect, critical)

3.7.1
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Bugzilla 4.0

People

(Reporter: netfuzzerr, Assigned: reed)

References

Details

(Keywords: sec-critical)

Attachments

(3 files)

Attached file poc.html
User Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Steps to reproduce:

Hi,

I think you may already know about this vulnerability(no, take a look - miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)

this vulnerability allows the page jsonrpc.cgi as a swf file then resulting in http request in local webserver(bugzilla.mozilla.org). To patch that add '/**/' before the callback function.

Reproduce:
1. Log in bugzilla.
2. open poc.html(attached)
3. wait 10 seconds
4. you will be redirected to a page that contains the source code of 'bugzilla.mozilla.org'(was got via victim browser) so it contains your session security token.

Cheers,
btw, i am only able to reproduce on firefox.
Can you reproduce this in a version 4.0 or above? This bug is marked Bugzilla 3.6, which has EOLed.
Flags: needinfo?(netfuzzerr)
Yeah, sorry about that. I am able to reproduce it +4.0.
Flags: needinfo?(netfuzzerr)
Version: 3.6 → 4.0
Attached patch patch - v1Splinter Review
Assignee: general → reed
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8452825 - Flags: review?(sgreen)
Attachment #8452825 - Flags: review?(glob)
Flags: sec-bounty?
(In reply to Mario Gomes from comment #1)
> btw, i am only able to reproduce on firefox.

Chrome and Opera aren't affected, as we send the |X-Content-Type-Options: nosniff| header with every response.
Component: Bugzilla-General → WebService
Yeah - As both are based on webkit both are safe.
Attachment #8452825 - Flags: review?(sgreen) → review+
Flags: approval4.4+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval+
The code goes all the way back to Bugzilla 4.0 ( http://git.mozilla.org/?p=bugzilla/bugzilla.git;a=blob;f=Bugzilla/WebService/Server/JSONRPC.pm;h=5ee341b4b11b38ffb951ed60721af6cc6afd4df6;hb=refs/heads/4.0#l91 [github] ). Released version have an extra new line before the closing brace which means a different patch it required for those branches.
Target Milestone: --- → Bugzilla 4.0
Attachment #8452825 - Flags: review?(glob) → review+
Attachment #8452874 - Flags: review?(glob) → review+
Could we also add an arbitrary length limitation on the callback name? More than 32 characters? Learn to be more concise -- status 500 for you.
Alias: CVE-2014-1546
Keywords: sec-critical
Hold off on using that CVE until I get an answer from MITRE. It's possible we should just say we're fixing our version of the main CVE-2014-4671 that covers the original vulnerability. That would conflict with their policy that fixing the same bug in different client libraries need separate CVEs, but then I'm not sure what CVE-2014-4671 would cover because the primary blog post was about a technique, not a specific vulnerable software.
Alias: CVE-2014-1546 → maybe-CVE-2014-1546
Using "nosniff" seems like the more principled approach. Why doesn't it work in Firefox? Is there a bug on that?
My first instinct was right, we need our own CVE for bugzilla.
Alias: maybe-CVE-2014-1546 → CVE-2014-1546
(In reply to Jesse Ruderman from comment #11)
> Using "nosniff" seems like the more principled approach. Why doesn't it work
> in Firefox? Is there a bug on that?

Bug 471020
Is this bug eligible for a bounty?
Flags: sec-bounty? → sec-bounty+
glob: is there a separate bug for pushing this to BMO? Has that happened yet?
Flags: needinfo?(glob)
Thank you so much for the bounty ! :)
(In reply to Daniel Veditz [:dveditz] from comment #16)
> glob: is there a separate bug for pushing this to BMO? Has that happened yet?

Bug 1036281 , and yes, it has gone live. BRC was also updated last week too.
Flags: needinfo?(glob)
Severity: normal → critical
btw, couldnt get the bounty payment due that the banking informations used in the payment was a old one(my old bank account). Dont know why that happenned since i sent the right payment informations to `chris hoffman` told him that there were updates in my bank account but he/mozilla kept sending the payment to my old account that i don't have access anymore.

so, somebody responsable for bounty's payment can give me some explanation why'd it happend? also, could someone re-send the payment to the right payment informations that I provided?
Blocks: 1042093
FYI, we always set the version field of security bugs to the first release affected. In this specific case, the first release with this bug is Bugzilla 3.7.1, see bug 550727.
Version: 4.0 → 3.7.1
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   b3554b3..8498827  4.0 -> 4.0

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   26728e3..f0760dd  4.2 -> 4.2

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   5d24520..ac5bf59  4.4 -> 4.4

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   cf3e8bc..02ce906  master -> master
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Summary: add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability → [SECURITY] Add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability
You need to log in before you can comment on or make changes to this bug.