Closed Bug 1170414 Opened 6 years ago Closed 6 years ago

Redirection loop in *.cgi when path-info is present

Categories

(bugzilla.mozilla.org :: General, defect)

Production
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: santiagoalopez.sl, Assigned: glob)

Details

Attachments

(1 file, 1 obsolete file)

Look this example:

https://bugzilla.mozilla.org/buglist.cgi/http://google.com

If you execute it in the browser you can see a redirection loop bug, it's making a lot of redirections to the same location and finally finish in the timeout.
An attacker can utilize this vulnerabilitie to flood the victim's traffic.

I tested in other cgi file in the website and all the scripts has the same problem. Another example:

https://bugzilla.mozilla.org/reports.cgi/http://google.com
https://bugzilla.mozilla.org/page.cgi/http://google.com
https://bugzilla.mozilla.org/query.cgi/http://google.com
etc.
this isn't a security issue - it doesn't enable the browser to send any more traffic than is possible with other mechanisms (eg. a request triggered by a javascript interval, or a simple script with a loop).
Assignee: nobody → glob
Group: bugzilla-security
Summary: Redirection loop in *.cgi → Redirection loop in *.cgi when path-info is present
Attached patch 1170414_1.patch (obsolete) β€” β€” Splinter Review
- tell apache to ignore path-info
Attachment #8613865 - Flags: review?(dkl)
Comment on attachment 8613865 [details] [diff] [review]
1170414_1.patch

Review of attachment 8613865 [details] [diff] [review]:
-----------------------------------------------------------------

Breaks REST functionality.

http://localhost/1170414/http://google.com

The requested URL /1170414/http://google.com was not found on this server.

http://localhost/1170414/rest/bug/35

The requested URL /1170414/rest.cgi/bug/35 was not found on this server.

dkl
Attachment #8613865 - Flags: review?(dkl) → review-
Attached patch 1170414_2.patch β€” β€” Splinter Review
the crux of the problem is perl's CGI.pm uses $ENV{PATH_INFO} to remove it from the uri:

$uri =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO};

however apache collapses double slashes to a single slash in env variables, so instead of removing "http://example.com" it tries to remove "http:/example.com" and fails.
Attachment #8613865 - Attachment is obsolete: true
Attachment #8614530 - Flags: review?(dkl)
Comment on attachment 8614530 [details] [diff] [review]
1170414_2.patch

Review of attachment 8614530 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8614530 - Flags: review?(dkl) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   f53e220..be25975  master -> master
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Hi,

This issue isn't fix fornow, when i go to https://bugzilla.mozilla.org/reports.cgi/http://google.com is still making the redirections in all scripts.
Flags: needinfo?(glob)
(In reply to Santiago from comment #7)
> Hi,
> 
> This issue isn't fix fornow, when i go to
> https://bugzilla.mozilla.org/reports.cgi/http://google.com is still making
> the redirections in all scripts.

Sorry. It has been committed to our git repo but it has not yet been pushed out to production. This will likely happen early next week during our normal push time.

dkl
fine, very fast fix. will be able to a bounty?

Regards.
Sorry, that comment was me, i confuse my accounts

Regards.
(In reply to Mr Hack from comment #9)
> fine, very fast fix. will be able to a bounty?

no - this isn't a security issue.
Flags: needinfo?(glob)
It looks like it's fix now!
You need to log in before you can comment on or make changes to this bug.