1195598 - backport bug 1033068 to bmo (The "unknown_action" error message could confuse the user)

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: General, defect)

Description

[vijay kumar1]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

Bug type : Command injection(Text based injection)
OWASP Link : https://www.owasp.org/index.php/Content_Spoofing
Bug Description : Action Parameter is open for user's input and you can trick any user to follow the instructions because It's on verifies mozilla's Website.

POC Link : https://bugzilla.mozilla.org/attachment.cgi?id=8645165&action=Authentication%20Warning%20:%20You%20are%20getting%20this%20message%20due%20to%20Authorisation%20Problem.Your%20account%20may%20have%20been%20compromised.In%20order%20to%20verify%20your%20identity,%20go%20to%20the%20mozilla%20security%20portal%20https://mozilla.security.com%20and%20login%20with%20your%20current%20Bugzilla%20Username%20and%20password.This%20action%20is%20required%20in%20priority%20or%20we%20may%20have%20to%20close%20your%20Account%20within%201%20hour.%20Thanks%20from%20Moziila%20Security



Actual results:

I am able to inject any text on bugzilla through URL.


Expected results:

Error Output  should only be provided from server side.User's Text should not be provided as Output.In order to prevent this either you can set default error message Like 404 or may provide your own Error message.

Comment 1

[Frédéric Buclin]

This bug has already been fixed upstream since Bugzilla 4.4. You cannot inject any command such as HTML code or script.

Comment 2

[vijay kumar1]

Hi Team,

Link provided by me is completely different from mentioned duplicate report.
Link :https://bugzilla.mozilla.org/attachment.cgi?id=8645165&action=[Text Injection]
Which is currently working.It's in Attachment Error with Action parameter.
But the link which you have provided as duplicate is :
Link :
https://bugzilla.mozilla.org/token.cgi?t=Fix5Zg6LDl&a=[Text injection]
This one looks Fix to me.This is in Parameter a with Token cgi which is completely different.

So both are in different parameters and The link which i have provided is completely different URL and parameter included in it.

Kindly Re check again for moderation and Let me know if you need more info regarding this.

Best Regards !
Vijay Kumar

Comment 3

[Daniel Veditz [:dveditz]]

This is, indeed, the same issue as bug 1033068 as can be seen by trying your example against a server that contains the upstream fix. In that bug you can see that patch is a fix was to the global error handling page and not specific to the parameter being used.

Ex:
https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=8645165&action=Authentication%20Warning%20:%20You%20are%20getting%20this%20message%20due%20to%20Authorisation%20Problem.Your%20account%20may%20have%20been%20compromised.In%20order%20to%20verify%20your%20identity,%20go%20to%20the%20mozilla%20security%20portal%20https://mozilla.security.com%20and%20login%20with%20your%20current%20Bugzilla%20Username%20and%20password.This%20action%20is%20required%20in%20priority%20or%20we%20may%20have%20to%20close%20your%20Account%20within%201%20hour.%20Thanks%20from%20Moziila%20Security

Converting this bug to one requesting that fix be applied to BMO (otherwise if we want to wait until we upgrade to 4.4 then this is a dupe).

Comment 4

[:glob ✱]

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   8dd0fac..c8869c1  master -> master