support.mozilla.org allows extracting request information from readers/visitors by posting comments/threads containing `<img src` tags pointing to arbitrary hosts
Categories
(support.mozilla.org :: Forum, defect)
Tracking
(Not tracked)
People
(Reporter: khageshwarjoshi03, Assigned: tasos)
References
Details
(Keywords: reporter-external, sec-low, wsec-injection)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Steps to reproduce:
Steps to reproduce
-
visit 'iplogger.org' website and login there than in invisible image section click on Get_ip_logger_code
-
copy those links and go to the website
https://support.mozilla.org/en-US/forums/contributors/
and click on 'post a new thread' -
Add a title and in body section enter
<img src='your_ip_logger_image_src' />
and POST that Topic.
- refresh the page and check logs in your IP logger you will get your IP and current location. Whenever anyone visits this thread you will get their IP, exact location and more information in your Iplogger.
If you require any further more information please feel free to look back to me.
Actual results:
Summary :
This vulnerability allows an attacker to fetch the user's IP Address, in which country they live, region, and what ISP they use.
This vulnerability can be found in the places where you have an option to upload photos using img
tag while creating new thread in the discuss section
Impact
As you can see an attacker is able to get sensitive information from the user. An attacker can also trace the record of who is visiting your site and from where your users belong and i researched a lot of big company community section, they have loaded image by their company ip not by users ip.
Expected results:
Mitigation
The image load request by company IP only not using user IP Or Users need admin approval when getting a comment post publicly
Comment 1•3 years ago
|
||
Frida, can you put this in front of the right people? Thank you.
Comment 3•3 years ago
|
||
Hello,
Thank you for your report. I will check with the team responsible for this service to get their input.
Thanks,
Frida
Comment 4•3 years ago
|
||
Hello Leo,
Can you please take a look at this issue? Do we intentionally allow HTML to be included in the post description?
Thanks,
Frida
Reporter | ||
Comment 5•3 years ago
|
||
Sorry for interruption. As far as i know in the post description we can insert img
tag in in your platform. But it is not a concert for this bug because every other big company also included feature of including absolute url of image. But either they have generated a new link for that image or requesting that image through their own ip address instead of users ip address.
Thanks.
Reporter | ||
Comment 6•3 years ago
|
||
Any update ?
Comment 7•3 years ago
|
||
I have requested information from the engineering team and waiting for them to look into the issue.
Thanks,
Frida
Updated•3 years ago
|
Comment 8•3 years ago
|
||
Hello Tasos,
Can you please take a look at this bug?
Thanks,
Frida
Updated•3 years ago
|
Comment 9•3 years ago
|
||
While looking into other bugs, I learned that comments with HTML are marked for moderation to prevent this type of issues, so I tried to reproduce the issue and my comment with the img tags was not flagged for moderation. I am curious why this URL is not being caught by the filter.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 10•3 years ago
|
||
I opened a PR to introduce CSP headers into the project. I suspect this PR will help with a few other related bugs.
https://github.com/mozilla/kitsune/pull/5098
Reporter | ||
Comment 11•3 years ago
|
||
Hello team,
I just want to know Is this report is eligible for Bounty?
Thanks
Updated•3 years ago
|
Comment 12•3 years ago
|
||
I flagged the report for bounty consideration. Once the issue is fixed, the bug bounty panel will discuss and decide on the bounty.
Thanks,
Frida
Assignee | ||
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Seems like these changes have caused some regressions in stage, concerning broken images, in particular the FxA avatar image.
About every page gets the console message "Content Security Policy: The page’s settings blocked the loading of a resource at [example location]" or some variety of it when the user is signed in or in the case of external links.
Some of the areas where this is also visible on the UI side:
https://support.allizom.org/en-US/messages
https://support.allizom.org/en-US/community/search?q=straw%2B73
Assignee | ||
Comment 14•3 years ago
|
||
CSP has been added to the project and released in prod.
Reporter | ||
Comment 15•3 years ago
|
||
Any update about bounty ?
Thanks
Comment 16•3 years ago
|
||
Thank you for reporting this issue to us. Now that the issue is fixed, the bug bounty team will be reviewing your report over the upcoming weeks to decide on the award (if any) Mozilla will be granting for this report. It may take up to 3 weeks but know that we've not forgotten this ticket, we have a tracking system and a review cadence that will ensure that all potentially bounty eligible reports get reviewed and acted on.
Updated•3 years ago
|
Comment 17•3 years ago
|
||
(In reply to orionjoshi123 from comment #11)
I just want to know Is this report is eligible for Bounty?
This bug does not match any of the categories covered by out bug bounty program, but we are awarding a Hall of Fame for you help in keeping our users' personal information safer.
Reporter | ||
Comment 18•3 years ago
|
||
extracting personal information of users still no bounty lol.
Comment 19•3 years ago
|
||
Hello,
Please refer to comment 17 which explains our decision, if you still need to discuss the bounty, please send us an email to security@mozilla.org to explain why this report should be awarded.
In the meantime, please let us know how you would like to be mentioned on hall of fame.
Thanks,
Frida
Reporter | ||
Comment 20•3 years ago
|
||
I would like to mention as Orion Joshi
(https://www.linkedin.com/in/orionjoshi/)
Updated•3 years ago
|
Reporter | ||
Comment 21•3 years ago
|
||
Hello Team,
Does Mozilla Update hall of fame at the end of every year right or ...?
Thanks
Comment 22•3 years ago
|
||
Hello,
We update the hall of fame at the end of each quarter.
Thanks,
Frida
Reporter | ||
Comment 23•2 years ago
|
||
Hello Team,
Any update on HOF ?
Comment 24•2 years ago
|
||
Unfortunately, we still did not get a chance to update HoF for last quarter. We will try our best to update the site as soon as we can.
Thank you for your patience.
Reporter | ||
Comment 25•2 years ago
|
||
Hi Team,
Thank you for HOF but I requested to put Orion Joshi (https://www.linkedin.com/in/orionjoshi/)
but there is orionjoshi123
. Can you please put exactly what I have requested with the social media link?
Thanks and regards
Comment 26•2 years ago
|
||
Thanks for letting us know, we will fix this.
Thanks,
Frida
Updated•2 years ago
|
Updated•6 months ago
|
Description
•