Closed Bug 1299722 Opened 9 years ago Closed 9 years ago

Ruby console accessible on - cert-checker.allizom.org

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: griffin.francis.1993, Unassigned)

Details

(Keywords: reporter-external, sec-high, wsec-oscmd)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Steps to reproduce: I am able to navigate and issue commands at the ruby console (cert-checker.allizom.org/griffin) >> `id` => "uid=500(ec2-user) gid=500(ec2-user) groups=500(ec2-user),10(wheel)\n" Actual results: Able to issue commands via the Ruby console. Remote shell on webserver is possible. Expected results: This console should not be facing the internet.
I've confirmed this bug. It's RCE on a wheel user.
Kathleen: I see you've mentioned this site on google groups. Are you the operator of this site or could you put me in touch with the operator? As you can see above, we've got a report from our bounty program that suggests the system can be rooted remotely using the rails console which us running as a user in the wheel group.
Flags: needinfo?(kwilson)
Keywords: sec-high, wsec-oscmd
Instance is now reporting as down via the domain and aws is showing up as an nginx error.
Griffin: thanks for the update, I'm seeing the same thing. I'll reach out to Karen today directly once our working hours line up and see what's going on.
Flags: needinfo?(kwilson)
Quick update on this: I've stopped nginx on the box, so the shell shouldn't be accessible. It's still on in aws in case we need to get anything from it, but I'm treating it as compromised, so I'll basically start over from scratch in terms of deploying these tools. Also, they'll be moved to a different (non-mozilla) domain.
Flags: sec-bounty?
good call keeler, thanks for the quick triage and action!
Thanks for the report Griffin!
:keeler any update on where we stand with this issue? has this been redeployed with fixes in a different domain name? Just trying to tie it off, so we can close out the bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
:claudijd - We're meeting with :ulfr in an hour to discuss deployment options that will improve security management of the next rev of this. Perhaps we should make that a different bug?
:jcj - if you want to do that and make it block this bug, that would be great.
The main functionality we need, we'll move to the TLS Observatory. Bug is opened here: https://github.com/mozilla/tls-observatory/issues/141
[:keeler] is this fixed? Bounty meeting coming up.
Flags: needinfo?(dkeeler)
Yes - we took the whole site down (and we won't be putting it back up without auditing it for these sorts of issues).
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → FIXED
Group: websites-security
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.