Last Comment Bug 1195598 - backport bug 1033068 to bmo (The "unknown_action" error message could confuse the user)
: backport bug 1033068 to bmo (The "unknown_action" error message could confuse...
Status: RESOLVED FIXED
fixed upstream in bug 1033068
: sec-low
Product: bugzilla.mozilla.org
Classification: Other
Component: General (show other bugs)
: Production
: Unspecified Unspecified
-- minor (vote)
: ---
Assigned To: Byron Jones ‹:glob›
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-17 19:02 PDT by vijay kumar1
Modified: 2015-08-24 10:10 PDT (History)
6 users (show)
abillings: sec‑bounty-
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description User image vijay kumar1 2015-08-17 19:02:50 PDT
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

Bug type : Command injection(Text based injection)
OWASP Link : https://www.owasp.org/index.php/Content_Spoofing
Bug Description : Action Parameter is open for user's input and you can trick any user to follow the instructions because It's on verifies mozilla's Website.

POC Link : https://bugzilla.mozilla.org/attachment.cgi?id=8645165&action=Authentication%20Warning%20:%20You%20are%20getting%20this%20message%20due%20to%20Authorisation%20Problem.Your%20account%20may%20have%20been%20compromised.In%20order%20to%20verify%20your%20identity,%20go%20to%20the%20mozilla%20security%20portal%20https://mozilla.security.com%20and%20login%20with%20your%20current%20Bugzilla%20Username%20and%20password.This%20action%20is%20required%20in%20priority%20or%20we%20may%20have%20to%20close%20your%20Account%20within%201%20hour.%20Thanks%20from%20Moziila%20Security



Actual results:

I am able to inject any text on bugzilla through URL.


Expected results:

Error Output  should only be provided from server side.User's Text should not be provided as Output.In order to prevent this either you can set default error message Like 404 or may provide your own Error message.
Comment 1 User image Frédéric Buclin 2015-08-17 19:11:37 PDT
This bug has already been fixed upstream since Bugzilla 4.4. You cannot inject any command such as HTML code or script.

*** This bug has been marked as a duplicate of bug 1033068 ***
Comment 2 User image vijay kumar1 2015-08-17 19:22:00 PDT
Hi Team,

Link provided by me is completely different from mentioned duplicate report.
Link :https://bugzilla.mozilla.org/attachment.cgi?id=8645165&action=[Text Injection]
Which is currently working.It's in Attachment Error with Action parameter.
But the link which you have provided as duplicate is :
Link :
https://bugzilla.mozilla.org/token.cgi?t=Fix5Zg6LDl&a=[Text injection]
This one looks Fix to me.This is in Parameter a with Token cgi which is completely different.

So both are in different parameters and The link which i have provided is completely different URL and parameter included in it.

Kindly Re check again for moderation and Let me know if you need more info regarding this.

Best Regards !
Vijay Kumar
Comment 3 User image Daniel Veditz [:dveditz] 2015-08-17 21:11:03 PDT
This is, indeed, the same issue as bug 1033068 as can be seen by trying your example against a server that contains the upstream fix. In that bug you can see that patch is a fix was to the global error handling page and not specific to the parameter being used.

Ex:
https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=8645165&action=Authentication%20Warning%20:%20You%20are%20getting%20this%20message%20due%20to%20Authorisation%20Problem.Your%20account%20may%20have%20been%20compromised.In%20order%20to%20verify%20your%20identity,%20go%20to%20the%20mozilla%20security%20portal%20https://mozilla.security.com%20and%20login%20with%20your%20current%20Bugzilla%20Username%20and%20password.This%20action%20is%20required%20in%20priority%20or%20we%20may%20have%20to%20close%20your%20Account%20within%201%20hour.%20Thanks%20from%20Moziila%20Security

Converting this bug to one requesting that fix be applied to BMO (otherwise if we want to wait until we upgrade to 4.4 then this is a dupe).
Comment 4 User image Byron Jones ‹:glob› 2015-08-17 21:26:02 PDT
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   8dd0fac..c8869c1  master -> master

Note You need to log in before you can comment on or make changes to this bug.