Closed Bug 1170414 Opened 10 years ago Closed 10 years ago

Redirection loop in *.cgi when path-info is present

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: santiagoalopez.sl, Assigned: glob)

Details

Attachments

(1 file, 1 obsolete file)

1170414_2.patch
925 bytes, patch
dkl
: review+
Details | Diff | Splinter Review
Look this example: https://bugzilla.mozilla.org/buglist.cgi/http://google.com If you execute it in the browser you can see a redirection loop bug, it's making a lot of redirections to the same location and finally finish in the timeout. An attacker can utilize this vulnerabilitie to flood the victim's traffic. I tested in other cgi file in the website and all the scripts has the same problem. Another example: https://bugzilla.mozilla.org/reports.cgi/http://google.com https://bugzilla.mozilla.org/page.cgi/http://google.com https://bugzilla.mozilla.org/query.cgi/http://google.com etc.
this isn't a security issue - it doesn't enable the browser to send any more traffic than is possible with other mechanisms (eg. a request triggered by a javascript interval, or a simple script with a loop).
Assignee: nobody → glob
Group: bugzilla-security
Summary: Redirection loop in *.cgi → Redirection loop in *.cgi when path-info is present
Attached patch 1170414_1.patch (obsolete) — Splinter Review
- tell apache to ignore path-info
Attachment #8613865 - Flags: review?(dkl)
Comment on attachment 8613865 [details] [diff] [review] 1170414_1.patch Review of attachment 8613865 [details] [diff] [review]: ----------------------------------------------------------------- Breaks REST functionality. http://localhost/1170414/http://google.com The requested URL /1170414/http://google.com was not found on this server. http://localhost/1170414/rest/bug/35 The requested URL /1170414/rest.cgi/bug/35 was not found on this server. dkl
Attachment #8613865 - Flags: review?(dkl) → review-
Attached patch 1170414_2.patchSplinter Review
the crux of the problem is perl's CGI.pm uses $ENV{PATH_INFO} to remove it from the uri: $uri =~ s/\Q$ENV{PATH_INFO}\E$// if defined $ENV{PATH_INFO}; however apache collapses double slashes to a single slash in env variables, so instead of removing "http://example.com" it tries to remove "http:/example.com" and fails.
Attachment #8613865 - Attachment is obsolete: true
Attachment #8614530 - Flags: review?(dkl)
Comment on attachment 8614530 [details] [diff] [review] 1170414_2.patch Review of attachment 8614530 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8614530 - Flags: review?(dkl) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git f53e220..be25975 master -> master
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Hi, This issue isn't fix fornow, when i go to https://bugzilla.mozilla.org/reports.cgi/http://google.com is still making the redirections in all scripts.
Flags: needinfo?(glob)
(In reply to Santiago from comment #7) > Hi, > > This issue isn't fix fornow, when i go to > https://bugzilla.mozilla.org/reports.cgi/http://google.com is still making > the redirections in all scripts. Sorry. It has been committed to our git repo but it has not yet been pushed out to production. This will likely happen early next week during our normal push time. dkl
fine, very fast fix. will be able to a bounty? Regards.
Sorry, that comment was me, i confuse my accounts Regards.
(In reply to Mr Hack from comment #9) > fine, very fast fix. will be able to a bounty? no - this isn't a security issue.
Flags: needinfo?(glob)
It looks like it's fix now!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: