open redirect in [pollbot.services.mozilla.com]
Categories
(Release Engineering :: General, defect)
Tracking
(Not tracked)
People
(Reporter: sydaslam297, Assigned: bhearsum)
References
()
Details
(Keywords: wsec-redirect, Whiteboard: [reporter-external] [web-bounty-form])
Summary:
There is an open redirection vulnerability in the path of:
https://pollbot.services.mozilla.com/
Description:
An attacker can redirect anyone to malicious sites.
Steps To Reproduce:
Type in this URL:
https://pollbot.services.mozilla.com//evil.com/
As, you can see it redirects to that website when you inject this payload:
//evil.com/
evil.com was used as an example but this could be any website note, the // is the bypass.
Supporting Material/References:
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
Impact
Attackers can serve malicious websites that steal passwords or download ransomware to their victims machine due to a redirect and there are a heap of other attack vectors.
|
||
Comment 1•2 years ago
|
||
Confirmed the PoC. Thank you for the report.
:bhearsum - Are you the correct person to contact for pollbot issues?
|
Assignee | |
Comment 2•2 years ago
|
||
(In reply to AJ Bahnken [:ajvb] from comment #1)
Confirmed the PoC. Thank you for the report.
:bhearsum - Are you the correct person to contact for pollbot issues?
Yes
|
|
Assignee | |
Comment 3•2 years ago
|
||
Fix is on master, verified on stage. Should be deployed to prod today (see https://bugzilla.mozilla.org/show_bug.cgi?id=1695673)
|
|
Assignee | |
Comment 4•2 years ago
|
||
This is fixed in prod now, thank you very much for reporting it! I ended up opening a Github Security Advisory for it (mostly so I could play around with them). Here's a link to that, for posterity: https://github.com/mozilla/PollBot/security/advisories/GHSA-jhgx-wmq8-jc24
|
Reporter | |
Comment 5•2 years ago
|
||
Thank you for your fast response!
is it eligible for HOF?
(In reply to Eslam Sayed from comment #5)
Thank you for your fast response!
is it eligible for HOF?
Hi Eslam, yes the bounty committee will meet in the next couple weeks to decide on HoF.
Can verify I get a 404 now:
curl -w '\n' -k 'https://pollbot.services.mozilla.com//evil.com'
{"status": 404, "message": "Page '//evil.com' not found"}
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 9•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8)
This was assigned CVE-2021-21354
Hello Daniel,
Can you add credits to me at github advisory page
Here's my github link account:
https://github.com/eslamXxX156
Thank you
Regards.
|
|
||
Comment 10•1 year ago
|
||
Can you add credits to me at github advisory page
I cannot, but Ben should be able to (see comment 4)
|
|
Assignee | |
Comment 11•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #10)
Can you add credits to me at github advisory page
I cannot, but Ben should be able to (see comment 4)
I no longer have access to this repo. Geoff should be able to do it.
|
||
Comment 12•1 year ago
|
||
I recently added Credits for a Pollbot security advisory, but I find I cannot update this one: The "Update security advisory" button remains disabled for me even after adding the requested user.
https://docs.github.com/en/code-security/repository-security-advisories/editing-a-repository-security-advisory says "Only the creator of the advisory can credit you, ..."
|
|
Assignee | |
Comment 13•1 year ago
|
||
(In reply to Geoff Brown [:gbrown] from comment #12)
I recently added Credits for a Pollbot security advisory, but I find I cannot update this one: The "Update security advisory" button remains disabled for me even after adding the requested user.
https://docs.github.com/en/code-security/repository-security-advisories/editing-a-repository-security-advisory says "Only the creator of the advisory can credit you, ..."
I hit this too -- it turns out it wanted one of the other fields to be filled out as well.
The credit should be updated now.
Description
•