Closed
Bug 1170414
Opened 9 years ago
Closed 9 years ago
Redirection loop in *.cgi when path-info is present
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: santiagoalopez.sl, Assigned: glob)
Details
Attachments
(1 file, 1 obsolete file)
925 bytes,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
Look this example: https://bugzilla.mozilla.org/buglist.cgi/http://google.com If you execute it in the browser you can see a redirection loop bug, it's making a lot of redirections to the same location and finally finish in the timeout. An attacker can utilize this vulnerabilitie to flood the victim's traffic. I tested in other cgi file in the website and all the scripts has the same problem. Another example: https://bugzilla.mozilla.org/reports.cgi/http://google.com https://bugzilla.mozilla.org/page.cgi/http://google.com https://bugzilla.mozilla.org/query.cgi/http://google.com etc.
this isn't a security issue - it doesn't enable the browser to send any more traffic than is possible with other mechanisms (eg. a request triggered by a javascript interval, or a simple script with a loop).
Assignee: nobody → glob
Group: bugzilla-security
Summary: Redirection loop in *.cgi → Redirection loop in *.cgi when path-info is present
- tell apache to ignore path-info
Attachment #8613865 -
Flags: review?(dkl)
Comment 3•9 years ago
|
||
Comment on attachment 8613865 [details] [diff] [review] 1170414_1.patch Review of attachment 8613865 [details] [diff] [review]: ----------------------------------------------------------------- Breaks REST functionality. http://localhost/1170414/http://google.com The requested URL /1170414/http://google.com was not found on this server. http://localhost/1170414/rest/bug/35 The requested URL /1170414/rest.cgi/bug/35 was not found on this server. dkl
Attachment #8613865 -
Flags: review?(dkl) → review-
the crux of the problem is perl's CGI.pm uses $ENV{PATH_INFO} to remove it from the uri: $uri =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO}; however apache collapses double slashes to a single slash in env variables, so instead of removing "http://example.com" it tries to remove "http:/example.com" and fails.
Attachment #8613865 -
Attachment is obsolete: true
Attachment #8614530 -
Flags: review?(dkl)
Comment 5•9 years ago
|
||
Comment on attachment 8614530 [details] [diff] [review] 1170414_2.patch Review of attachment 8614530 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8614530 -
Flags: review?(dkl) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git f53e220..be25975 master -> master
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Hi, This issue isn't fix fornow, when i go to https://bugzilla.mozilla.org/reports.cgi/http://google.com is still making the redirections in all scripts.
Flags: needinfo?(glob)
Comment 8•9 years ago
|
||
(In reply to Santiago from comment #7) > Hi, > > This issue isn't fix fornow, when i go to > https://bugzilla.mozilla.org/reports.cgi/http://google.com is still making > the redirections in all scripts. Sorry. It has been committed to our git repo but it has not yet been pushed out to production. This will likely happen early next week during our normal push time. dkl
Reporter | ||
Comment 10•9 years ago
|
||
Sorry, that comment was me, i confuse my accounts Regards.
Assignee | ||
Comment 11•9 years ago
|
||
(In reply to Mr Hack from comment #9) > fine, very fast fix. will be able to a bounty? no - this isn't a security issue.
Flags: needinfo?(glob)
Reporter | ||
Comment 12•9 years ago
|
||
It looks like it's fix now!
You need to log in
before you can comment on or make changes to this bug.
Description
•