Open redirect Vulnerability on pollbot.services.mozilla.com & pollbot.stage.mozaws.net leads to trick users.
Categories
(Release Engineering :: General, defect)
Tracking
(Not tracked)
People
(Reporter: sampritdas0, Assigned: gbrown)
References
Details
(Keywords: reporter-external, sec-moderate, wsec-redirect)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Steps to reproduce:
Severity:- Medium (Score:- 5)
Vulnerable URL:- https://pollbot.services.mozilla.com
Description:-
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain
Step to reproduce:-
-
Open https://pollbot.services.mozilla.com/v1/ on any browser
-
Then replace /v1/ with /%0a/evil.com/projectX.htm/
-
So now the final URL will be https://pollbot.services.mozilla.com/%0a/evil.com/projectX.htm/ send it to any victim when he clicks on it it will redirect to www.evil.com/projectX.htm
Impact:-
Url Redirection or Unvalidated Open Redirects are usually used with phishing attacks or in malware delivery, it may confuse the end-user on which site they are visiting.
-
Attackers could redirect victims to vulgar sites such as Porn sites which can degrade the reputation of your site, as the redirection happened from your domain.
-
Attackers could deliver malware or phishing pages in the name of your website & hence cab steal user credentials.
As front part, if the URL is legitimate, an attacker can easily convince users to click on maliciously crafted link, and hence could easily target users of pollbot.services.mozilla.com
Actual results:
Application is not validating domains after /%0a/and its leads to open redirect.
Impact:-
Url Redirection or Unvalidated Open Redirects are usually used with phishing attacks or in malware delivery, it may confuse the end user on which site they are visiting .
-
Attackers could redirect victims to vulgar sites such a Porn sites which can degrade the reputation of your site, as the redirection happened from your domain.
-
Attackers could deliver malware or phishing pages in the name of your website & hence cab steal user credentials.
As front part if the url is legitimate, attacker can easily convince users to click on malicious crafted link, and hence could easily target users of pollbot.services.mozilla.com
Video is POC attached below
Reference:-
https://hackerone.com/reports/753399
https://hackerone.com/reports/692154
https://hackerone.com/reports/504751
Mitigation:-
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
Expected results:
The application should not redirect the user to the malicious domain
Updated•3 years ago
|
Comment hidden (obsolete) |
Updated•3 years ago
|
Comment hidden (offtopic) |
Comment hidden (duplicate) |
Comment 4•3 years ago
|
||
This bug should be enough to route to the people who can triage and fix the issue. If you are asking about the bug bounty program, please review https://www.mozilla.org/en-US/security/, and perhaps email this bug reference to security@mozilla.org.
Reporter | ||
Comment 5•3 years ago
|
||
(In reply to John Whitlock [:jwhitlock] from comment #4)
This bug should be enough to route to the people who can triage and fix the issue. If you are asking about the bug bounty program, please review https://www.mozilla.org/en-US/security/, and perhaps email this bug reference to security@mozilla.org.
Yes, I was asking about the bug bounty program Will I make a new report, or will share the report id with them?
Regards,
Samprit Das
Updated•3 years ago
|
Comment 6•3 years ago
|
||
Hello Samprit,
Thank you for your report.
I have added the necessary flag to consider this bug in our web bug bounty program, for future reference, please use the bug bounty form when opening bugs: https://bugzilla.mozilla.org/form.web.bounty
I was able to reproduce the issue using https://pollbot.services.mozilla.com/%0A/duckduckgo.com/
, note the URL needs to end in /
for the redirection to work.
Thanks,
Frida
Comment 7•3 years ago
|
||
Hello :aki:,
Can you please confirm whether this service is still in use and where so we can assess the impact?
Thanks,
Frida
Reporter | ||
Comment 8•3 years ago
|
||
(In reply to Frida Kiriakos [:frida] from comment #6)
Hello Samprit,
Thank you for your report.
I have added the necessary flag to consider this bug in our web bug bounty program, for future reference, please use the bug bounty form when opening bugs: https://bugzilla.mozilla.org/form.web.bounty
I was able to reproduce the issue using
https://pollbot.services.mozilla.com/%0A/duckduckgo.com/
, note the URL needs to end in/
for the redirection to work.Thanks,
Frida
Hello Frida,
Thanks for the information I will do that next time and Frida I have got the same vulnerability in another domain just simply open https://pollbot.stage.mozaws.net/%0A/duckduckgo.com/ you will see you will get redirected to duckduckgo.com.
Regards,
Samprit Das
Assignee | ||
Comment 9•3 years ago
|
||
pollbot is used by https://github.com/mozilla/delivery-dashboard/, which in turn is used by Release Management. I don't know if there are other clients.
Updated•3 years ago
|
Assignee | ||
Comment 10•3 years ago
|
||
Fixed in pollbot 1.4.6, now deployed to both https://pollbot.stage.mozaws.net and https://pollbot.services.mozilla.com.
Reporter | ||
Comment 11•3 years ago
|
||
Hello Team,
As the vulnerability is fixed and here in https://nvd.nist.gov/vuln/detail/CVE-2021-21354 I can see pollbot allows to register CVE for fixed vulnerabilities based on its version so can you register a CVE with my name for this fix vulnerability?
And also team can you please tell me will this report will get eligible for a reward?
Regards,
Samprit Das
Comment 12•3 years ago
|
||
Hello Samprit,
We will get back to you regarding registering a CVE.
Regarding the bounty, we meet on a weekly basis to discuss bounty awards so hopefully we will get back to you by next week.
Thanks,
Frida
Comment hidden (duplicate) |
Comment 14•3 years ago
|
||
Hi Sampras: we will be adding you to our Hall of Fame and assigning a CVE for this bug (like bug 1694684). It is not eligible for a cash bounty, however.
Reporter | ||
Comment 15•3 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #14)
Hi Sampras: we will be adding you to our Hall of Fame and assigning a CVE for this bug (like bug 1694684). It is not eligible for a cash bounty, however.
Hello Daniel Veditz,
Thanks for the information please add my name as Samprit Das with my LinkedIn profile:- https://www.linkedin.com/in/samprit-das-9805831a2 for the Hall of fame as well as for the CVE.
Regards,
Samprit Das
Comment 16•3 years ago
|
||
CVE assigned; dropping you a ni to capture this for MITRE
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment 19•3 years ago
|
||
Geoff: we need someone to create a GitHub advisory for this issue like https://github.com/mozilla/PollBot/security/advisories/GHSA-jhgx-wmq8-jc24, except reference this bug and CVE-2022-0637. Can you do that and post the link back here, or find someone who can? Looks like the previous one was created by bhearsum
Comment hidden (off-topic) |
Assignee | ||
Comment 21•3 years ago
|
||
Reporter | ||
Comment 22•3 years ago
|
||
(In reply to Geoff Brown [:gbrown] from comment #21)
https://github.com/mozilla/PollBot/security/advisories/GHSA-vg27-hr3v-3cqv
Hello Geoff Brown,
If possible can you please mention me on advisory like this one https://github.com/keystonejs/keystone/security/advisories/GHSA-hrgx-7j6v-xj82
and here is my GitHub and Linkedin username:-
https://github.com/sampritdas8
https://www.linkedin.com/in/samprit-das-9805831a2/
Thank you,
Samprit Das
Updated•3 years ago
|
Assignee | ||
Comment 23•3 years ago
|
||
Advisory updated with thanks. Thanks again.
Reporter | ||
Comment 24•3 years ago
|
||
(In reply to Geoff Brown [:gbrown] from comment #23)
Advisory updated with thanks. Thanks again.
Hello Geoff Brown,
Still, my name is not showing on the Advisory can you please confirm it from your side?
Regards,
Samprit Das
Updated•3 years ago
|
Assignee | ||
Comment 25•3 years ago
|
||
It's in the comment, near the bottom of the page: "Thanks to Samprit Das (@sampritdas8) for discovering and reporting this vulnerability."
Reporter | ||
Comment 26•3 years ago
|
||
(In reply to Geoff Brown [:gbrown] from comment #25)
It's in the comment, near the bottom of the page: "Thanks to Samprit Das (@sampritdas8) for discovering and reporting this vulnerability."
Hello Geoff Brown,
Actually the advisory comment: https://github.com/mozilla/PollBot/security/advisories/GHSA-vg27-hr3v-3cqv#advisory-comment-70908
is not showing publicly so I am not able to see it but got a mail from github that you have mention if it is possible can you public the comment.
Thanks,
Samprit Das
Assignee | ||
Comment 27•3 years ago
|
||
I couldn't find a way to make the comment public, but I noticed "Credits" and added you there. Sorry, this is my first github security advisory; hopefully this does it!
Reporter | ||
Comment 28•3 years ago
|
||
(In reply to Geoff Brown [:gbrown] from comment #27)
I couldn't find a way to make the comment public, but I noticed "Credits" and added you there. Sorry, this is my first github security advisory; hopefully this does it!
No problem and thanks I have accepted the "Credits" now my name is visible.
Reporter | ||
Comment 29•3 years ago
|
||
Hello Daniel Veditz,
Can you please tell me when Description and References is going to add on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0637.
Regards,
Samprit Das
Assignee | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Comment hidden (duplicate) |
Reporter | ||
Comment 31•3 years ago
|
||
Hello Tom,
It's been more than 2 months since CVE is assigned to my report and also fix has been deployed but the Description and References have not been updated in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0637 can you please tell me the estimated date for the update of Description and References?
Regards,
Samprit Das
Updated•3 years ago
|
Updated•3 years ago
|
Reporter | ||
Comment 32•3 years ago
|
||
Hello Daniel,
It's is going to be 3months since CVE is assigned to my report and also fix has been deployed but the Description and References have not been updated in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0637 can you please tell me the estimated date for the update of Description and References?
Regards,
Samprit Das
Reporter | ||
Comment 33•3 years ago
|
||
And what about the hall of fame?
Updated•2 years ago
|
Comment 34•1 year ago
|
||
(In reply to Samprit Das from comment #33)
And what about the hall of fame?
You are listed in the first quarter of 2022: https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/#year-2022
The CVE information has been submitted, but the cve group is changing their format and I don't know yet if it's accepted
Comment 35•1 year ago
|
||
CVE-2022-0637 is published
Updated•4 months ago
|
Description
•