If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Status

www.mozilla.org
General
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: Hammad, Unassigned)

Tracking

Production
x86_64
Windows 7

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303

Steps to reproduce:

This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as pictures, images, sounds, ...). Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.


Actual results:

Attack details
Form name: reportForm
Form action: https://www.mozilla.org/en-US/about/legal/fraud-report/
Form method: POST

Form inputs:

csrfmiddlewaretoken [Hidden]
input_url [Text]
input_category [Select]
office_fax [Text]
input_product [Select]
input_specific_product [Text]
input_details [TextArea]
input_attachment [File]
input_attachment_desc [TextArea]
input_email [Text]
submit_form [Submit]


Expected results:

This vulnerability affects /en-US/about/legal/fraud-report.
If the uploaded files are not safely checked an attacker may upload malicious files.
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.
Please don't submit untested reports from vulnerability scanners. They are almost always wrong (such as this case).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Component: Untriaged → General
Product: Firefox → www.mozilla.org
Resolution: --- → INVALID
Version: 33 Branch → Production
You need to log in before you can comment on or make changes to this bug.