Closed Bug 1319986 Opened 9 years ago Closed 9 years ago

Changeset parameter manipulation in https://bugherder.mozilla.org/

Categories

(Tree Management :: Bugherder, defect)

Product:
Tree Management
Component:
Bugherder
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: sebastienmorin75, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(3 files)

Normal TIP
132.06 KB, image/png
Details
Crafted_TIP
139.87 KB, image/png
Details
Changeid
25.00 KB, image/png
Details
Attached image Normal TIP
Hi, I've found that you can manipulate the changeset parameter in https://bugherder.mozilla.org/ resulting in different steps and information accessible. Description: --------------- When visiting https://bugherder.mozilla.org/, you have to enter an URL or changeset ID or just "tip". When trying to fetch information/data by inserting tip, I only have access to limited action/information (See Normal_TIP.png). However, if I intercept the request and insert square brackets [] in the parameter changeset name which will send an array object, I have access to more action/information (See Crafted_TIP.png). Impact: --------- This is clearly an abnormal reaction of the application which lead to more action/information for the users. Step-by-step Reproduction Instructions: ---------------------------------------------- 1. Go to the following address: https://bugherder.mozilla.org/ 2. Enter tip in the changeid parameter. 3. Set up a proxy to capture the GET request. 4. Click on submit. 5. Change the "changeset=tip" parameter to "changeset[]=tip" (See Changeid.png) 6. Confirm the abnormal reaction of the application. Please let me know if you have any questions. Best regards, Sébastien Morin
Flags: sec-bounty?
Attached image Crafted_TIP
Attached image Changeid
Thats only a problem if changing the parameters gives access to data you shouldnt otherwise see. No idea if thats the case here but I'll aim to find someone who does know.
Group: websites-security → mozilla-employee-confidential, webtools-security
Component: Other → Treeherder
Product: Websites → Tree Management
Version: unspecified → ---
Assignee: nobody → wkocher
wkocher - can you answer that question?
Flags: needinfo?(wkocher)
Bugherder (unrelated to Treeherder) is a client-side only JS app, that uses the public hg.mozilla.org API to access push information. I can't see a security issue here?
Component: Treeherder → Bugherder
The STR in comment 0 involve manually modifying the app's client-side requests. Unless similar requests can be triggered by passing a specially crafted set of query parameters to a Bugherder page, then this report isn't really about Bugherder, but instead about crafted API calls to the public hg.mozilla.org (which can be made outside of Bugherder). Using that logic to simplify the report in comment 0, turns it into something like: """ STR: 1) Make a request to 'https://hg.mozilla.org/mozilla-central/json-pushes/?full=1&changeset=tip' 2) Make a request to 'https://hg.mozilla.org/mozilla-central/json-pushes/?full=1&changeset[]=tip' Expected: Response is the same. Actual: The response differs. """ However: (a) It's not expected that the responses are the same. (b) Even if it were, the json-pushes feature of hg.mozilla.org is a public API, so there's no secrets to be gained. What's happening in the #2 case is that `changeset[]` is an invalid parameter, so is ignored. The API is then just returning the same response as: 'https://hg.mozilla.org/mozilla-central/json-pushes/?full=1' ...which is just to return the last ten pushes: https://hg.mozilla.org/hgcustom/version-control-tools/file/6298a2195598/hgext/pushlog-legacy/pushlog-feed.py#l295 For improved UX of consumers of the API it might be desirable to make invalid parameters cause an error rather than be silently ignored, but that's not a security issue. (Though that would have to be weighed against backwards compatibility, in case there are existing clients using deprecated parameters.)
Assignee: wkocher → nobody
Group: mozilla-employee-confidential, webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(wkocher)
Resolution: --- → INVALID
Thanks Ed :)
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
Thank you for the well detailed explanation! I was not 100% sure about this one, but I just wanted to be sure if it would not lead in any case to a security issue. Sorry I didn't want to waste your time.
Whiteboard: [reporter-external] [web-bounty-form] → [reporter-external] [web-bounty-form] [verif?]
Not a problem - we'd rather people report potential problems like this that keep quiet because they are not sure :)
Good to know that you guys care about security!! :)
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: