Closed
Bug 1036213
(CVE-2014-1546)
Opened 11 years ago
Closed 10 years ago
[SECURITY] Add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability
Categories
(Bugzilla :: WebService, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.0
People
(Reporter: netfuzzerr, Assigned: reed)
References
Details
(Keywords: reporter-external, sec-critical)
Attachments
(3 files)
2.02 KB,
text/html
|
Details | |
684 bytes,
patch
|
mail
:
review+
glob
:
review+
|
Details | Diff | Splinter Review |
686 bytes,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Steps to reproduce:
Hi,
I think you may already know about this vulnerability(no, take a look - miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
this vulnerability allows the page jsonrpc.cgi as a swf file then resulting in http request in local webserver(bugzilla.mozilla.org). To patch that add '/**/' before the callback function.
Reproduce:
1. Log in bugzilla.
2. open poc.html(attached)
3. wait 10 seconds
4. you will be redirected to a page that contains the source code of 'bugzilla.mozilla.org'(was got via victim browser) so it contains your session security token.
Cheers,
Reporter | ||
Comment 1•11 years ago
|
||
btw, i am only able to reproduce on firefox.
Comment 2•11 years ago
|
||
Can you reproduce this in a version 4.0 or above? This bug is marked Bugzilla 3.6, which has EOLed.
Flags: needinfo?(netfuzzerr)
Reporter | ||
Comment 3•11 years ago
|
||
Yeah, sorry about that. I am able to reproduce it +4.0.
Flags: needinfo?(netfuzzerr)
Updated•11 years ago
|
Version: 3.6 → 4.0
Assignee | ||
Comment 4•11 years ago
|
||
Assignee: general → reed
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8452825 -
Flags: review?(sgreen)
Attachment #8452825 -
Flags: review?(glob)
Assignee | ||
Updated•11 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 5•11 years ago
|
||
(In reply to Mario Gomes from comment #1)
> btw, i am only able to reproduce on firefox.
Chrome and Opera aren't affected, as we send the |X-Content-Type-Options: nosniff| header with every response.
Assignee | ||
Updated•11 years ago
|
Component: Bugzilla-General → WebService
Reporter | ||
Comment 6•11 years ago
|
||
Yeah - As both are based on webkit both are safe.
Updated•11 years ago
|
Attachment #8452825 -
Flags: review?(sgreen) → review+
Updated•11 years ago
|
Flags: approval4.4+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval+
Comment 7•11 years ago
|
||
The code goes all the way back to Bugzilla 4.0 ( http://git.mozilla.org/?p=bugzilla/bugzilla.git;a=blob;f=Bugzilla/WebService/Server/JSONRPC.pm;h=5ee341b4b11b38ffb951ed60721af6cc6afd4df6;hb=refs/heads/4.0#l91 [github] ). Released version have an extra new line before the closing brace which means a different patch it required for those branches.
Comment 8•11 years ago
|
||
Attachment #8452874 -
Flags: review?(glob)
Updated•11 years ago
|
Target Milestone: --- → Bugzilla 4.0
Attachment #8452825 -
Flags: review?(glob) → review+
Attachment #8452874 -
Flags: review?(glob) → review+
Comment 9•11 years ago
|
||
Could we also add an arbitrary length limitation on the callback name? More than 32 characters? Learn to be more concise -- status 500 for you.
Alias: CVE-2014-1546
Keywords: sec-critical
Comment 10•11 years ago
|
||
Hold off on using that CVE until I get an answer from MITRE. It's possible we should just say we're fixing our version of the main CVE-2014-4671 that covers the original vulnerability. That would conflict with their policy that fixing the same bug in different client libraries need separate CVEs, but then I'm not sure what CVE-2014-4671 would cover because the primary blog post was about a technique, not a specific vulnerable software.
Alias: CVE-2014-1546 → maybe-CVE-2014-1546
Comment 11•11 years ago
|
||
Using "nosniff" seems like the more principled approach. Why doesn't it work in Firefox? Is there a bug on that?
Comment 12•11 years ago
|
||
My first instinct was right, we need our own CVE for bugzilla.
Alias: maybe-CVE-2014-1546 → CVE-2014-1546
Comment 13•11 years ago
|
||
(In reply to Jesse Ruderman from comment #11)
> Using "nosniff" seems like the more principled approach. Why doesn't it work
> in Firefox? Is there a bug on that?
Bug 471020
Reporter | ||
Comment 14•11 years ago
|
||
Is this bug eligible for a bounty?
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 16•11 years ago
|
||
glob: is there a separate bug for pushing this to BMO? Has that happened yet?
Flags: needinfo?(glob)
Reporter | ||
Comment 17•11 years ago
|
||
Thank you so much for the bounty ! :)
Comment 18•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #16)
> glob: is there a separate bug for pushing this to BMO? Has that happened yet?
Bug 1036281 , and yes, it has gone live. BRC was also updated last week too.
Flags: needinfo?(glob)
Updated•11 years ago
|
Severity: normal → critical
Reporter | ||
Comment 19•10 years ago
|
||
btw, couldnt get the bounty payment due that the banking informations used in the payment was a old one(my old bank account). Dont know why that happenned since i sent the right payment informations to `chris hoffman` told him that there were updates in my bank account but he/mozilla kept sending the payment to my old account that i don't have access anymore.
so, somebody responsable for bounty's payment can give me some explanation why'd it happend? also, could someone re-send the payment to the right payment informations that I provided?
Comment 20•10 years ago
|
||
FYI, we always set the version field of security bugs to the first release affected. In this specific case, the first release with this bug is Bugzilla 3.7.1, see bug 550727.
Version: 4.0 → 3.7.1
Comment 21•10 years ago
|
||
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
b3554b3..8498827 4.0 -> 4.0
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
26728e3..f0760dd 4.2 -> 4.2
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
5d24520..ac5bf59 4.4 -> 4.4
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
cf3e8bc..02ce906 master -> master
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Summary: add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability → [SECURITY] Add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•