Closed
Bug 1364253
Opened 9 years ago
Closed 9 years ago
Unauthorized access to run DB queries in https://arewefastyet.com/regressions folder
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: vladimirmetnew, Unassigned)
References
()
Details
(Keywords: reporter-external, wsec-authorization, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
As described here: https://blog.mozilla.org/security/2017/05/11/relaunching-web-bug-bounty-program/ arewefastyet.com is very important app for Mozilla team.
Sources for this project are avaliable on Github: https://github.com/mozilla/arewefastyet/blob/2696cbea7fbbe50c3a8cbf70a0ac3c70f135852e/website/regressions/data-revision.php#L17
Repro:
Get request to https://arewefastyet.com/regressions/data-revision.php - you can see that mysql throws error.
Make a post request with fields like:
{
"mode":1,
"rev":" LIMIT 2-- ",
"machine": "\"1",
"id": "\"1"
}
leads to request execution, so malformed sql commands can be passed inside required fields.
Look at this line https://github.com/mozilla/arewefastyet/blob/2696cbea7fbbe50c3a8cbf70a0ac3c70f135852e/website/regressions/data-revision.php#L17
You can find `preg_replace` function, but according to this post https://stackoverflow.com/questions/3115559/exploitable-php-functions preg_replace at first executes passed parameters. And $rev field from json isn't sanitized, so we can pass PHP's commands into $rev param to execute commands.
Flags: sec-bounty?
|
Reporter | |
Comment 1•9 years ago
|
||
it looks like it's a problem with auth. This script doesn't call has_permission() function as other php scripts in repo. Like this:
https://github.com/mozilla/arewefastyet/blob/2696cbea7fbbe50c3a8cbf70a0ac3c70f135852e/website/regressions/change-bug.php#L10-L11
|
|
Reporter | |
Comment 2•9 years ago
|
||
Guys, I just found that other scripts in this folder are vulnerable too. Example: https://arewefastyet.com/regressions/data-score.php (SQLi)
|
|
Reporter | |
Comment 3•9 years ago
|
||
+ data-submit.php in this folder
|
|
Reporter | |
Comment 4•9 years ago
|
||
+ data-search.php
|
|
Reporter | |
Updated•9 years ago
|
Summary: RCE and SQLi at https://arewefastyet.com/regressions/data-revision.php → RCE and multiple SQLi at https://arewefastyet.com/regressions
|
|
Reporter | |
Comment 5•9 years ago
|
||
Sorry, maybe I need to separate this report into few reports for ever vulnerability? (no auth protection on few endpoints, RCE, few SQLIs )
Summary: RCE and multiple SQLi at https://arewefastyet.com/regressions → RCE and SQLi at https://arewefastyet.com/regressions/data-revision.php
|
|
Reporter | |
Updated•9 years ago
|
Summary: RCE and SQLi at https://arewefastyet.com/regressions/data-revision.php → RCE and few SQLi at https://arewefastyet.com/regressions
|
|
Reporter | |
Updated•9 years ago
|
Summary: RCE and few SQLi at https://arewefastyet.com/regressions → RCE and SQLi at https://arewefastyet.com/regressions
|
|
Reporter | |
Updated•9 years ago
|
Summary: RCE and SQLi at https://arewefastyet.com/regressions → Unauthorized access to run DB queries in https://arewefastyet.com/regressions folder
|
|
Reporter | |
Comment 6•9 years ago
|
||
Sorry, for all these comments, I need to say that there is no RCE and SQLi on these resource. Sorry for the panic.
But unauthorized user is allowed to run php files in this folder that don't call has_permission() function. As I understand it's a bug, because unauthorized user shouldn't have access to run these files.
Thanks for the report vladimirmetnew.
+garndt: are missing permission checks data-submit.php, data-search.php, data-revision.php or are unauthed users allowed to access them?
Flags: needinfo?(garndt)
Keywords: wsec-authorization
|
||
Comment 8•9 years ago
|
||
Hrm, I do not recall working on areweslimyet. Do you mean someone else?
Flags: needinfo?(garndt)
|
|
||
Comment 9•9 years ago
|
||
sorry, I mean arewefastyet...same applies though :)
|
|
||
Comment 10•9 years ago
|
||
-garndt
+h4writer,dvander: are we missing permission checks on data-submit.php, data-search.php, data-revision.php or are unauthed users allowed to access them?
Flags: needinfo?(hv1989)
Flags: needinfo?(dvander)
Hannes is no longer at Mozilla. I think bbouvier handles AWFY now.
Flags: needinfo?(hv1989)
Flags: needinfo?(dvander)
Flags: needinfo?(bbouvier)
|
||
Comment 12•9 years ago
|
||
(In reply to Vladimir Metnew from comment #6)
> Sorry, for all these comments, I need to say that there is no RCE and SQLi
> on these resource. Sorry for the panic.
> But unauthorized user is allowed to run php files in this folder that don't
> call has_permission() function. As I understand it's a bug, because
> unauthorized user shouldn't have access to run these files.
Agreed with this: inputs are sanitized anyways, so there's no risk of RCE (the /e modifiers in preg_replace isn't used) nor SQLi (inputs are sanitized).
I'll add signin guards to these pages.
|
|
||
Comment 13•9 years ago
|
||
Fixed by https://github.com/mozilla/arewefastyet/commit/443bba25a8523fbde868d6239789690307cd52f0, now most pages are behind a sign-in page.
Thanks for the report, once again!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bbouvier)
Resolution: --- → FIXED
|
||
Comment 15•9 years ago
|
||
This site is not eligible for a bug bounty payout, but it is eligible for our Hall of Fame. How would you liked to be credited on our hall of fame, including URL?
Thanks!
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
|
|
Reporter | |
Comment 16•9 years ago
|
||
Yes, thanks for HoF, name: Vladimir Metnew, url: https://github.com/Metnew .
|
||
Updated•2 years ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•