Closed
Bug 1450914
Opened 7 years ago
Closed 7 years ago
https://relman-ci.mozilla.org is hosting a public Jenkins instance
Categories
(Release Engineering :: Release Automation, defect)
Release Engineering
Release Automation
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: leetwhitehat, Unassigned)
References
()
Details
(Keywords: reporter-external, sec-low, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(2 files)
Screen_Shot_2018-04-03_at_10_44_55_AM.png
Anyone is able to access the admin dashboard of your jenkins product. There is no username and password set.
This can lead to
- Unauthorized access
- Breach Of CIA
- Information loss
- Access escalation and much high risks
Fix/Solution:
Add a authorization/authentication
Steps to reproduce:
just visit.
Flags: sec-bounty?
|
Reporter | |
Comment 1•7 years ago
|
||
Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.
Since there is admin access, it is possible to install plugins, execute jenkins code... etc :)
Which is very risky ofcourse...
you need to set a proper authentication/authorization as soon as you can...
http://prntscr.com/j06ogu <-- Proof that i got access.
Steps to reproduce:
1) Open your browser.
2) https://relman-ci.mozilla.org <--- Visit this link
3) You will automatically get admin access, as by default there is no username/password set on your jenkins product....
4) Congratulations, you've gained admin access!
Attack Scenario:
Jim is a hacker with malicious intentions, he finds this link, he gets admin access and he plays with the plugins and stuff in your jenkins server, which messes everything up
|
||
Comment 2•7 years ago
|
||
chaos_le_red: Thanks for your report. Based on your screenshot and my own visiting of the site, it appears as though what you're viewing is "read-only" access to Jenkins. Yes, this provides the ability to users to attempt login, but your screenshot does not demonstrate a logged in session. I can see ways for us to improve the security on this site (maybe perhaps make this non-public or add strong authentication controls), and will ask the service owner to review their options, but I believe your claim of an auth bypass is incorrect. I do welcome you to provide evidence that suggests otherwise, as what you claim would be a serious issue if you could demonstrate it.
|
|
||
Updated•7 years ago
|
Keywords: sec-low
Summary: Auth Bypass To Jenkins Product Dashboard → https://relman-ci.mozilla.org is hosting a public Jenkins instance
|
|
Reporter | |
Comment 3•7 years ago
|
||
Hey there,
Thank you for your reply.
By default, Jenkins has no authentication set and it seems the site owner is using the default setting due to which there is no authentication out there which makes confidential information leak to public.
If you take a look at the application, you can see some sensitive data being leaked. It is not a authorization bypass but is ofcourse a Lack of authorization/authentication (Security misconfiguration)
I am not logged in because, the login is disabled by default since no credentials are set by the site owner.
I request you to file a bug based on this and ask the site owner to make proper authentication/authorization settings.
|
|
Reporter | |
Comment 4•7 years ago
|
||
|
||
Comment 5•7 years ago
|
||
Could you please let us know what kind of confidential information you saw? Thanks
|
|
||
Comment 6•7 years ago
|
||
chaos_le_red: I believe your assessment that this site does not have authentication is incorrect. I do invite you to provide evidence of being able to say create a job and take a screenshot to demonstrate your claim. I'm also interested in whether you can demonstrate any sensitive data leak on these jobs, again with evidence.
|
|
Reporter | |
Comment 7•7 years ago
|
||
1) I can see all the users along with their name and email
https://relman-ci.mozilla.org/asynchPeople/
2) I can see console output of various projects
https://relman-ci.mozilla.org/job/firefox-scan-build/1120/console
3) I can see build information of various projects and access your projects data
https://relman-ci.mozilla.org/job/firefox-scan-build/1120/configure
4) I have access to credentials tab which shows credenyials of SSH with private key
|
|
Reporter | |
Comment 8•7 years ago
|
||
I am not able to do any actions there, i agree but i can still view information.
Are all those information above meant to be public?
|
|
||
Comment 9•7 years ago
|
||
(In reply to chaos_le_red from comment #7)
> 1) I can see all the users along with their name and email
> https://relman-ci.mozilla.org/asynchPeople/
This is extract from the git lob. These information are available on github too.
> 2) I can see console output of various projects
> https://relman-ci.mozilla.org/job/firefox-scan-build/1120/console
This is by design. I don't have any reason to hide it.
There is no confidential information here.
> 3) I can see build information of various projects and access your projects
> data
> https://relman-ci.mozilla.org/job/firefox-scan-build/1120/configure
Same as 2)
> 4) I have access to credentials tab which shows credenyials of SSH with
> private key
Could you please share the URL or the data?
|
|
Reporter | |
Comment 10•7 years ago
|
||
|
|
||
Comment 11•7 years ago
|
||
(In reply to chaos_le_red from comment #10)
> https://relman-ci.mozilla.org/credentials/store/system/domain/_/
This does not expose the key itself, you're simply seeing a reference to it. If you could demonstrate actually viewing the key (like the actual secret) then I would agree it's issue, but I don't believe that is the case here.
|
|
Reporter | |
Comment 12•7 years ago
|
||
I see :/
So this is not valid?
|
|
||
Comment 13•7 years ago
|
||
chaos_le_red: Although we appreciate your report and recognize there might be ways to improve the security posture of this site, the issues you raised (auth bypass and confidential information disclosure) were not substantiated with evidence and in our investigation and poking around the site on our own, we were not able to verify the claim. Because of this, I'm marking the bug invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 14•7 years ago
|
||
Can you take a possible suggestion to add a login page if possible?
|
|
||
Comment 15•7 years ago
|
||
|
|
||
Comment 16•7 years ago
|
||
chaos_le_red: I have added an screenshot of the page, which demonstrates where one would login. The intent of having the jobs be publicly readable is fully intentional by the service owner, so requiring a full screen login before seeing the job status' runs counter to what they are trying to achieve. I hope that helps explain the context a bit better.
|
|
Reporter | |
Comment 17•7 years ago
|
||
Okay, Can you click on that login and show me you getting navigated to login page?
|
|
||
Comment 18•7 years ago
|
||
|
|
Reporter | |
Comment 19•7 years ago
|
||
Weird, it didnt redirect me..
Anyway, sorry for reporting the false positive stuff and thank you for your valuable time..
|
|
||
Comment 20•7 years ago
|
||
(In reply to chaos_le_red from comment #19)
> Weird, it didnt redirect me..
>
> Anyway, sorry for reporting the false positive stuff and thank you for your
> valuable time..
No worries, thanks for reaching out. Better safe than sorry.
|
||
Updated•7 years ago
|
Group: websites-security → mozilla-confidential
Component: Other → Release Automation
Product: Websites → Release Engineering
QA Contact: catlee
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•7 years ago
|
Group: mozilla-confidential
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•