Closed Bug 1310747 Opened 4 years ago Closed 4 years ago

SSRF

Categories

(bugzilla.mozilla.org :: General, defect)

Production
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: p4r3sh.p4rm4r, Assigned: dylan)

References

()

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(2 files)

hi,
Endpoint: callback=

steps
1. go to below url: https://bugzilla.mozilla.org/auth.cgi?callback=http://testss.blinkie.xyz&description=foobar
2. after accepting 'Auth Delegation Request' 
i am getting response back to my host.

response i got:
ip: 63.245.214.162

{
  "host": "testss.blinkie.xyz",
  "user-agent": "libwww-perl/5.835",
  "content-length": "104",
  "content-type": "application/json",
  "via": "1.1 proxy2.dmz.scl3.mozilla.com (squid/3.1.23)",
  "x-forwarded-for": "10.22.82.28",
  "cache-control": "max-age=259200",
  "connection": "keep-alive",
  "url": "/"
}
Flags: sec-bounty?
Dylan, I think this is expected behavior, but you take a look at it please?  Thanks!
Group: websites-security → bugzilla-security
Component: Other → General
Flags: needinfo?(dylan)
Product: Websites → bugzilla.mozilla.org
Version: unspecified → Production
even i thought that, but Rather than proxying requests on behalf of users, application should have user’s browser retrieve the desired information. If it is necessary to proxy the request, a whitelist should be used on the server side and the User-Agent information should be stripped or modified.
Wow. If this is intended behavior we need to put /some/ rules into which sites we allow. At the very least we shouldn't be allowing insecure http: links.
(In reply to Paresh from comment #2)
> even i thought that, but Rather than proxying requests on behalf of users,
> application should have user’s browser retrieve the desired information. If
> it is necessary to proxy the request, a whitelist should be used on the
> server side and the User-Agent information should be stripped or modified.

Using the browser is absolutely out due the obvious ways of gaming
that system. 

(In reply to Daniel Veditz [:dveditz] from comment #3)
> Wow. If this is intended behavior we need to put /some/ rules into which
> sites we allow. At the very least we shouldn't be allowing insecure http:
> links.

The user does have to confirm via "Auth Delegation Request".
I note this feature and its current design were both subject to an RRA.

I agree that we should limit it to to https only.
Flags: needinfo?(dylan)
This is the message you have to click through, which is pretty indicative of the action that will be performed.
Assignee: nobody → dylan
Attached patch 1310747_1.patchSplinter Review
Attachment #8801830 - Flags: review?(dkl)
Marking this as sec-bounty-, as this is working as intended.  Nice job on the patch as always, dylan.  :)
Group: bugzilla-security
Flags: sec-bounty? → sec-bounty-
Comment on attachment 8801830 [details] [diff] [review]
1310747_1.patch

Review of attachment 8801830 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8801830 - Flags: review?(dkl) → review+
as you notice in response,
you are using squid/3.1.23, which is older version of squid proxy. 
Advisory of 3.1.23 http://www.squid-cache.org/Advisories/SQUID-2012_1.txt (DoS in cachemgr.cgi )
why don't you update it to latest version http://www.squid-cache.org/Versions/ ?
Version numbers are notoriously unreliable, as vendors such as Redhat and Canonical backport security patches to older versions.
Status: UNCONFIRMED → NEW
Ever confirmed: true
To git@github.com:mozilla-bteam/bmo.git
   2f310fb..3e67364  master -> master
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
fix is live or not ?
it'll get pushed out next week.
in meantime can i go further into  that endpoint for testing  ?
it would be better to test bugzilla-dev.allizom.org.
See Also: → 1311165
You need to log in before you can comment on or make changes to this bug.