Closed Bug 1711191 Opened 4 years ago Closed 4 years ago

createaccount.cgi request includes session token in URI

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: komalaim6, Assigned: dkl)

Details

(Keywords: reporter-external, sec-low, wsec-disclosure)

Attachments

(1 file)

1711191_1.patch
1.01 KB, patch
glob
: review+
Details | Diff | Splinter Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0

Steps to reproduce:

Host: https://bugzilla.mozilla.org
Path: /createaccount.cgi

The response contains the following links that appear to contain session tokens:
https://bugzilla.mozilla.org/createaccount.cgi?login=komalaim6%40gmail.com&token=1620977206-YHVYuCJmkA5UHQkOMkZoMM2K2y7mXUFbEDebwNM1prg?GoAheadAndLogIn=1

Request
POST /createaccount.cgi HTTP/1.1
Host: bugzilla.mozilla.org
Cookie: _ga=GA1.2.1055108644.1618625750; Bugzilla_login_request_cookie=TJ6YtU9cn8; github_secret=V0VKkaffEMJxay5CdJ6cNEtrWofdi9HYPDTgoF5XkN6brz7HrTBNZutm5X8kA4Wgkm8W8rf49WHFfIWa56iFl91wwZ5jyHQPrA50Inx5b7AcQfeXhdAFHOOHUVJi84uw54ZeXWmuokeoPGAXuzPwPUKdMzAJAnjh2gYD692hj8teEJwvP0kt0wz2eveDM3clBrbFYwgdaifV8jrrbzOlj89Yx5x0Z5UuIB1KoJMe4mXbHaa8jSQg0HiZlmvGrID3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://bugzilla.mozilla.org/createaccount.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: https://bugzilla.mozilla.org
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

login=komalaim6%40gmail.com&token=1620977206-YHVYuCJmkA5UHQkOMkZoMM2K2y7mXUFbEDebwNM1prg

Response
HTTP/1.1 200 OK
Content-Security-Policy-Report-Only: default-src 'self'; worker-src 'none'; connect-src 'self' https://product-details.mozilla.org https://www.google-analytics.com https://treeherder.mozilla.org/api/failurecount/ https://crash-stats.mozilla.org/api/SuperSearch/; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://secure.gravatar.com; object-src 'none'; script-src 'self' 'nonce-Qbg3XCnvLNO3VsIeBCKiEFNsxqukXQr5oyT7u5o3mldieXYH' 'unsafe-inline' https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://crash-stop-addon.herokuapp.com; frame-ancestors 'self'; form-action 'self' https://www.google.com/search https://github.com/login/oauth/authorize https://github.com/login https://phabricator.services.mozilla.com/
Content-Type: text/html; charset=UTF-8
Date: Fri, 14 May 2021 07:27:13 GMT
Referrer-policy: same-origin
Server: openresty/1.17.8.2
Set-Cookie: github_secret=V0VKkaffEMJxay5CdJ6cNEtrWofdi9HYPDTgoF5XkN6brz7HrTBNZutm5X8kA4Wgkm8W8rf49WHFfIWa56iFl91wwZ5jyHQPrA50Inx5b7AcQfeXhdAFHOOHUVJi84uw54ZeXWmuokeoPGAXuzPwPUKdMzAJAnjh2gYD692hj8teEJwvP0kt0wz2eveDM3clBrbFYwgdaifV8jrrbzOlj89Yx5x0Z5UuIB1KoJMe4mXbHaa8jSQg0HiZlmvGrID3; path=/; secure; HttpOnly; SameSite=Lax
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-content-type-options: nosniff
X-frame-options: SAMEORIGIN
X-xss-protection: 1; mode=block
Connection: Close
Content-Length: 12394

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta property="og:type" content="website">
<meta property="og:title" content="
Request for new user account 'komalaim6@gma
...[SNIP]...
<li id="mini_login_container_top">
<a id="login_link_top" href="/createaccount.cgi?login=komalaim6%40gmail.com&token=1620977206-YHVYuCJmkA5UHQkOMkZoMM2K2y7mXUFbEDebwNM1prg?GoAheadAndLogIn=1"
class='show_mini_login_form' data-qs-suffix="_top">Log In</a>
...[SNIP]...
<li id="forgot_container_top">
<a id="forgot_link_top" href="/createaccount.cgi?login=komalaim6%40gmail.com&token=1620977206-YHVYuCJmkA5UHQkOMkZoMM2K2y7mXUFbEDebwNM1prg?GoAheadAndLogIn=1#forgot"
class='show_forgot_form'
data-qs-suffix="_top">Forgot Password</a>
...[SNIP]...

Actual results:

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Expected results:

Issue remediation
Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Vulnerability classifications
• CWE-200: Information Exposure
• CWE-384: Session Fixation
• CWE-598: Information Exposure Through Query Strings in GET Request

Group: firefox-core-security → bugzilla-security
Component: Untriaged → General
Product: Firefox → bugzilla.mozilla.org
Summary: Session token in URL → createaccount.cgi request includes session token in URI
Version: Firefox 88 → unspecified

Thanks for the report. The URL should indeed not have the extra token information included and we will create a patch for this issue.

Assignee: nobody → dkl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: sec-bounty?
Attached patch 1711191_1.patchSplinter Review
Attachment #9232701 - Flags: review?(glob)
Comment on attachment 9232701 [details] [diff] [review] 1711191_1.patch Review of attachment 9232701 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #9232701 - Flags: review?(glob) → review+

Merged to master. Will be live today.

Group: bugzilla-security

This change is now live.

Thanks :dkl and :glob.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
Keywords: reporter-external
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: