Closed Bug 1319981 Opened 9 years ago Closed 9 years ago

HTTP Basic authentication "bypass" in https://secure.pub.build.mozilla.org/

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: sebastienmorin75, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Screenshot
41.72 KB, image/png
Details
Hi, I've found a badly implemented HTTP Basic authentication in https://secure.pub.build.mozilla.org/ Description: --------------- When visiting, for example https://secure.pub.build.mozilla.org/builddata/reports/slave_health/, you are partially stopped by entering credentials in the authentication form. If you simply click multiple time on "cancel" the page is still rendering to the user. You can use that "bypass" to navigate and gathering information where you want without being logging in. Impact: --------- I think that there is probably sensitive information since the repository is supposed to be secured. If it is not the case, an employe or users can think that the repository is safe being behind an authentication method and drop sensitive information that can be accessible by everyone. Step-by-step Reproduction Instructions: ---------------------------------------------- 1. Go to the following address: https://secure.pub.build.mozilla.org/builddata/reports/slave_health/ 2. Click on "cancel" till you see the page. 3. You should use that method to navigate wherever you want on the server. Suggested Mitigation/Remediation Actions: ------------------------------------------------- If there is in any case sensitive information or you don't want unwanted malicious users to navigate on the server, you should fix the http authentication or simply change the login method since the HTTP authentication isn't the most secure way to protect information. Please let me know if you have any questions. Sébastien Morin
Flags: sec-bounty?
Attached image Screenshot
Yeah, that doesn't look ideal :/ I'll find out the right person to assign this to.
Thank you for filing. Whilst the current UX isn't great (it would be better to make the extra data lazy-load so people without all of the permissions aren't bombarded by HTTP auth prompts), this is intended behaviour. This page is a dashboard that makes client-side requests to multiple APIs to present an overview of machine health. Some of those APIs are public, others not. For users who do not authenticate (or whom are not in the required LDAP groups), the dashboard only displays partial information. I'm not responsible for this tool, so I'll leave it up to the Release Engineering team as to whether they want to either morph this or file another bug for improving the UX of this tool. (The current design actually led to some confusion with an employee the other day too, when they didn't have the required LDAP groups and a member of the security team had to query about it due to the denied API calls.)
Component: Other → Tools
Flags: needinfo?(coop)
Product: Websites → Release Engineering
QA Contact: hwine
(In reply to Ed Morley [:emorley] from comment #3) > Thank you for filing. > > Whilst the current UX isn't great (it would be better to make the extra data > lazy-load so people without all of the permissions aren't bombarded by HTTP > auth prompts), this is intended behaviour. > > This page is a dashboard that makes client-side requests to multiple APIs to > present an overview of machine health. Some of those APIs are public, others > not. For users who do not authenticate (or whom are not in the required LDAP > groups), the dashboard only displays partial information. > > I'm not responsible for this tool, so I'll leave it up to the Release > Engineering team as to whether they want to either morph this or file > another bug for improving the UX of this tool. (The current design actually > led to some confusion with an employee the other day too, when they didn't > have the required LDAP groups and a member of the security team had to query > about it due to the denied API calls.) Ed's right: there's no bypass happening here. If you don't authenticate, the API calls fail to get the more detailed information about the machines, but you still get the basic info about the machine (and machine pools) that would be available to any community member. We do rely on some community members (read: philor) who pay attention to that page and help us detect and mitigate problems that aren't as simple as a nagios alert. Yes, the UX is terrible...yet another tool that was whipped together and now lives in production, warts and all. I have no one to work on a newer version at present. Possibly in Q1.
Flags: needinfo?(coop)
Group: websites-security
No an auth bypass, just weird user behavior. This bug was also reported to the bounty program before and we came to the same conclusion.
Flags: sec-bounty? → sec-bounty-
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Component: Tools → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: