Closed Bug 1195544 Opened 5 years ago Closed 5 years ago
Information Disclosure Vulnerability Permits Attacker Obtains The Git
Hub OAUTH Return Code
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 Steps to reproduce: Hi, I have found a security bug that allows me obtain the valid github oauth code return, then allowing me log into the victim's account. To make it you have to be logged in github, and unlogged in Bugzilla. Reproduce: 1. Log in Github 2. Once you already have logged in bugzilla using GitHub, visit https://github.com/login/oauth/authorize?client_id=53a879b058c4e4953f95&scope=user%3Aemail&state=INVALID_STATE&redirect_uri=https://bugzilla.mozilla.org/attachment.cgi?id=8648983 3. You'll be automatically redirected to the attachment https://bugzilla.mozilla.org/attachment.cgi?id=8648983, which in URL will contain the VALID GITHUB OAUTH CODE. 4. using this code, go to another browser and visit https://bugzilla.mozilla.org/ 5. On the "other browser" there'll be a valid state code in its source code, copy it. 6. now go back in the attachment https://bugzilla.mozilla.org/attachment.cgi?id=8648983, there should be the an URL just like this: https://bug1195525.bmoattachments.org/attachment.cgi?id=8648983&code=[code-return]&state=INVALID_STATE 7. replace the "INVALID_STATE" with the one you got from the "other browser" 8. now add "github_login=1" to the end of the url. 9. now you'll set, just open this URL in the "other browser"(attacker's browser). 10. see you're logged in victim's account. To exploit it all what I've gotta do it: 1. Make sure victim is logged in GitHub and uses it to log into the bugzilla frequently. 2. Make sure isn't logged in bugzilla(it's easy to unlogd, just use a <img src='https://bugzilla.mozilla.org/index.cgi?logout=1'>) 3. convince the victim to open the specially crafted page that will redirect her to the github oauth url and back to the attachment which i'll have access to his oauth code). I think this is critical 'cause it isn't hard to make it work in real world scenario and it requires only the victim to vist a page).
Summary: Information Disclosure Vulnerability Permits Attacker Obtain The GitHub OAUTH Return Code → Information Disclosure Vulnerability Permits Attacker Obtains The GitHub OAUTH Return Code
currently attachment.cgi has a blacklist of parameters that will not be passed through to the attachment domain when redirecting ('t', 'Bugzilla_login', 'Bugzilla_password'). looks like the right thing to do is to change this to a whitelist
Assignee: nobody → glob
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 8649106 [details] [diff] [review] 1195544_1.patch Review of attachment 8649106 [details] [diff] [review]: ----------------------------------------------------------------- r=dylan
Attachment #8649106 - Flags: review?(dylan) → review+
What would be the appropriate Security rating for this bug?
This bug is sec-moderate as the security constraints for github authenticated sessions match those of persona authenticated sessions. If those constraints could be bypassed this bug would be rated higher.
(In reply to Yvan Boily [:ygjb][:yvan] from comment #5) If those constraints could be bypassed this bug would be rated higher. What constraints are you talking about? On my tests as long as I have access to the victim's oauth code Im able to log in its account from anywhere. Do you really think such kind vulnerability is "moderate"?
Also, bug 1175985 is essential the same bug, the only difference is that it affects Persona and it was rated as "High". Would you please explain why this one is "moderate"? I know there are limitations that don't allow "Powerful" users to log in through it. Even though it only affects the normal users who are the responsable for reporting security bugs, I really don't think such kind vulnerability would be only "moderate".
To ssh://email@example.com/webtools/bmo/bugzilla.git eb35e8e..4d855c2 master -> master
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Mario - the rating reflects the impact of the bug; I am not dismissing the value of the report, simply commenting on the impact of the bug. If it had affected all accounts, it would have been higher impact.
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.