1310747 - SSRF

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: General, defect)

Description

[Paresh]

hi,
Endpoint: callback=

steps
1. go to below url: https://bugzilla.mozilla.org/auth.cgi?callback=http://testss.blinkie.xyz&description=foobar
2. after accepting 'Auth Delegation Request' 
i am getting response back to my host.

response i got:
ip: 63.245.214.162

{
  "host": "testss.blinkie.xyz",
  "user-agent": "libwww-perl/5.835",
  "content-length": "104",
  "content-type": "application/json",
  "via": "1.1 proxy2.dmz.scl3.mozilla.com (squid/3.1.23)",
  "x-forwarded-for": "10.22.82.28",
  "cache-control": "max-age=259200",
  "connection": "keep-alive",
  "url": "/"
}

Comment 1

[April King [:April]]

Dylan, I think this is expected behavior, but you take a look at it please?  Thanks!

Comment 2

[Paresh]

even i thought that, but Rather than proxying requests on behalf of users, application should have user’s browser retrieve the desired information. If it is necessary to proxy the request, a whitelist should be used on the server side and the User-Agent information should be stripped or modified.

Comment 3

[Daniel Veditz [:dveditz]]

Wow. If this is intended behavior we need to put /some/ rules into which sites we allow. At the very least we shouldn't be allowing insecure http: links.

Comment 4

[Dylan Hardison [:dylan] (he/him)]

(In reply to Paresh from comment #2)
> even i thought that, but Rather than proxying requests on behalf of users,
> application should have user’s browser retrieve the desired information. If
> it is necessary to proxy the request, a whitelist should be used on the
> server side and the User-Agent information should be stripped or modified.

Using the browser is absolutely out due the obvious ways of gaming
that system. 

(In reply to Daniel Veditz [:dveditz] from comment #3)
> Wow. If this is intended behavior we need to put /some/ rules into which
> sites we allow. At the very least we shouldn't be allowing insecure http:
> links.

The user does have to confirm via "Auth Delegation Request".
I note this feature and its current design were both subject to an RRA.

I agree that we should limit it to to https only.

Comment 5

[Dylan Hardison [:dylan] (he/him)]

Attachment: Screen Shot 2016-10-17 at 14.40.20.png

This is the message you have to click through, which is pretty indicative of the action that will be performed.

Comment 6

[Dylan Hardison [:dylan] (he/him)]

Attachment: 1310747_1.patch

Comment 7

[April King [:April]]

Marking this as sec-bounty-, as this is working as intended.  Nice job on the patch as always, dylan.  :)

Comment 8

[David Lawrence [:dkl]]

Comment on attachment 8801830 [details] [diff] [review]
1310747_1.patch

Review of attachment 8801830 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 9

[Paresh]

as you notice in response,
you are using squid/3.1.23, which is older version of squid proxy. 
Advisory of 3.1.23 http://www.squid-cache.org/Advisories/SQUID-2012_1.txt (DoS in cachemgr.cgi )
why don't you update it to latest version http://www.squid-cache.org/Versions/ ?

Comment 10

[April King [:April]]

Version numbers are notoriously unreliable, as vendors such as Redhat and Canonical backport security patches to older versions.

Comment 11

[Dylan Hardison [:dylan] (he/him)]

To git@github.com:mozilla-bteam/bmo.git
   2f310fb..3e67364  master -> master

Comment 12

[Paresh]

fix is live or not ?

Comment 13

[Dylan Hardison [:dylan] (he/him)]

it'll get pushed out next week.

Comment 14

[Paresh]

in meantime can i go further into  that endpoint for testing  ?

Comment 15

[Dylan Hardison [:dylan] (he/him)]

it would be better to test bugzilla-dev.allizom.org.

Comment 16

[Dylan Hardison [:dylan] (he/him)]

The documentation is here: http://bmo.readthedocs.io/en/latest/integrating/auth-delegation.html