[Critical] Svn Repo Disclosure Of Mozilla Infrastructure



Invalid Bugs
a year ago
a year ago


(Reporter: Kat Exploit, Unassigned)


Bug Flags:
sec-bounty -


(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)



a year ago
Hello Team,

I found SVN repository of Mozilla domains inside one sub-domain of Mozilla. The host http://svn.mozilla.org is main SVN repository of company and lack of authentication or authorization to prevent non-authorized users from public. From these vulnerability, an attacker can gain access to Mozilla domains as an Administrator without permission or authorization and view the source code of various php files and other server side language files of all domains including config files. That domain stored various Mozilla domains, various Content Management System domains like Joomla, Wordpress and Drupal and forums software.

Step (1) : 

Go to URL https://pentest-tools.com/information-gathering/find-subdomains-of-domain and type http://mozilla.org in "Domain name" form to perform sub-domain scanning of Mozilla sub-domains. I found that vulnerable domain http://svn.mozilla.org and browsed the link. WTF! There is too many source code of Mozilla domains including main like https://addons.mozilla.org and https://mozilla.org

Step (2) :

Browse the link in your browser http://svn.mozilla.org. See the directories and access into source code without any authentication. Here I will tell you about only main directory and structure.

Index => 10 files => 9 directories + 1 file robots.txt

/addons directory is for https://addons.mozilla.org's /public_html/

/projects directory is for all Mozilla domains' /public_html/

In /projects directory, most contains (3) directories, /branch, /tags and /trunk. The /branch and /tags directories are not important so but not the /trunk directory. It is like specific domain's /public_html/ (WWW ROOT)

There is also https://addons.mozilla.org SQL DB structure and domains RAW PHP files.

Here is a list of config files to domains ::

https://addons.mozilla.org => http://svn.mozilla.org/addons/trunk/site/app/config/config.php.default

https://developer.mozilla.org => http://svn.mozilla.org/projects/developer.mozilla.org/trunk/config/index.php

https://help.mozilla.org => http://svn.mozilla.org/projects/help.mozilla.com/trunk/configuration.php

http://facebook.spreadfirefox.com => http://svn.mozilla.org/projects/facebook.spreadfirefox.com/trunk/inc/config.php.default

https://outgoing.mozilla.org => http://svn.mozilla.org/projects/outgoing.mozilla.org/trunk/config.php-dist

and many many config files of Mozilla domains.

SVN repository should be cleaned from same host of domains. If not, an attacker or non-authorized users can view the entire source code of Mozilla domains and web services.

I hope it can be fix soon.
Thanks for your time.
Flags: sec-bounty?
We're an open source company and our projects are open source.  All of this information is intended to be public.
Group: websites-security → core-security
Last Resolved: a year ago
Component: Other → General
Product: Websites → Invalid Bugs
Resolution: --- → INVALID

Comment 2

a year ago

Please read my report carefully and think seriously.
It also contains DB credentials and config files of current main working domains. 
Also DB credentials and website config files are open source? .htaccess? So why did you make https://mozilla.org/.htaccess 404 not found?
Most of those are configuration defaults, like config.php.default.  And a database schema isn't the same thing as database credentials.  Can you point to any sensitive information here?

And why wouldn't it 404, if the file isn't found?

Comment 4

a year ago
.htaccess of https://mozilla.org can found here http://svn.mozilla.org/projects/mozilla.org/trunk/.htaccess and it can't access in https://mozilla.org/.htaccess via public.
Yes, that's the default Apache behavior.  .htaccess files often contain credentials, and so they're blocked by default.

Comment 6

a year ago
Here is http://svn.mozilla.org/projects/blog.mozilla.com/trunk/wp-content/themes/OneMozilla/ source code of current theme OneMozilla using at https://blog.mozilla.com and it can access PHP files. Another one is http://svn.mozilla.org/projects/blog.mozilla.com/trunk/tools/stats.sh which disclose root directory and /wp-config.php path. So it can be disclosure?
It's not disclosure if it is things we wanted disclosed.  Literally everything on svn.mozilla.org is meant for public consumption.
Flags: sec-bounty? → sec-bounty-
Group: core-security
You need to log in before you can comment on or make changes to this bug.