Closed Bug 1353153 Opened 9 years ago Closed 7 years ago

Denial Of Service infinite Redirect

Categories

(developer.mozilla.org :: Security, enhancement)

Product:
developer.mozilla.org
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: diogoreal93, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, wsec-dos, Whiteboard: [reporter-external] [web-bounty-form])

Hi, I was testing CRLF injection (http://developer.mozilla.com/%3f%0dSet-Cookie:crlf=injection%3b) When i open the URL this start redirect until the header URL is too big. This is a really strange behavior. From my research the redirects happen because of encoded ? (%3F) How i would exploit this: Create html page: <html> <img src="https://developer.mozilla.org/%3F/Random1/"></img> <img src="https://developer.mozilla.org/%3F/Random2/"></img> <img src="https://developer.mozilla.org/%3F/Random3/"></img> <img src="https://developer.mozilla.org/%3F/Random4/"></img> <img src="https://developer.mozilla.org/%3F/Random5/"></img> <img src="https://developer.mozilla.org/%3F/Random6/"></img> <img src="https://developer.mozilla.org/%3F/Random7/"></img> <img src="https://developer.mozilla.org/%3F/Random8/"></img> <img src="https://developer.mozilla.org/%3F/Random9/"></img> </html> For each user that open the html page would be attacking your website for each img src i add, it will increase the request that users do to your website. Thanks, Diogo Real
Flags: sec-bounty?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: wsec-dos
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]
Thanks Diogo! Nice find, I can confirm the issue on Firefox and Chrome. Assigned sec-moderate for temporary DOS/error handling issues. Note that MDN isn't eligible for bug bounties, but we appreciate your hard work nonetheless. https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs +jwhitlock Presumably we need to not redirect to ourselves.
Component: Other → Security
Flags: needinfo?(jwhitlock)
Keywords: sec-moderate
Product: Websites → Mozilla Developer Network
I've confirmed this on the staging and production servers. It doesn't happen in local deployments, or in the beta cloud deployments, so it is likely it is an Apache configuration, the load balancer, or some combination. CCing fox2mike, w0ts0n in case they've seen something like this before. The first bits of the chain w/ curl: https://developer.mozilla.org/%3F/Random1/ https://developer.mozilla.org/%3F/Random1/en-US/?/Random1/ https://developer.mozilla.org/%3F/Random1/en-US/en-US/?/Random1/en-US/&/Random1/ https://developer.mozilla.org/%3F/Random1/en-US/en-US/en-US/?/Random1/en-US/en-US/&/Random1/en-US/&/Random1/ The addition of the "en-US" looks like the Kuma backend, so it may be possible to solve it there as well. More investigation needed.
Flags: needinfo?(jwhitlock)
(In reply to Greg Guthe [:g-k] from comment #1) > Thanks Diogo! Nice find, I can confirm the issue on Firefox and Chrome. > > Assigned sec-moderate for temporary DOS/error handling issues. > > Note that MDN isn't eligible for bug bounties, but we appreciate your hard > work nonetheless. > > https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs > > > +jwhitlock Presumably we need to not redirect to ourselves. Yeah I know it isn't eligible. This was found while testing CRLF injection, If I managed to inject cookies in developer.mozilla.org this would affect all other mozilla.org domains. Example: https://developer.mozilla.org/%23%0dSet-Cookie:crlf=injection;domain=.mozilla.org; But since I got this weird redirect I decided to report anyways. Too bad it was removed from Bug bounty the developers network. Thanks, Diogo Real
sec-bounty-'d (not an eligible bounty site)
Flags: sec-bounty? → sec-bounty-
I noticed this bug was still open and wanted to recheck. Since 2 years ago: * We're no longer using Apache, and have migrated the Apache redirects to Django (bug 1362438) * We've replaced our locale middleware, which may have been responsible for the redirect (bug 1461350). This is my guess for the change that fixed it. * We've updated from Django 1.8 to 1.11 (bug 1401246) * Many, many other changes. https://developer.mozilla.org/%3F/Random1/ is now a 404 rather than a redirect. Also, cookie injection URLs in this bug are still 404s. Since we share so much code with Kitsune, I also checked this: https://support.mozilla.org/%3F/Random1/ This is a 302 redirect to https://support.mozilla.org/en-US/%3F/Random1/, which is a 404, so it appears to avoid the infinite redirect bug. g-k, can you confirm the fix and drop the security-sensitive flag?
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(gguthe)
Resolution: --- → FIXED
Looks good to me. Lifting the security flag. Thanks for following up :jwhitlock and thanks again for the report Diogo.
Group: websites-security
Status: RESOLVED → VERIFIED
Flags: needinfo?(gguthe)
You need to log in before you can comment on or make changes to this bug.