Closed Bug 1756990 Opened 3 years ago Closed 3 years ago

support.mozilla.org allows extracting request information from readers/visitors by posting comments/threads containing `<img src` tags pointing to arbitrary hosts

Categories

(support.mozilla.org :: Forum, defect)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: khageshwarjoshi03, Assigned: tasos)

References

Details

(Keywords: reporter-external, sec-low, wsec-injection)

Attachments

(2 files)

Attached video 2022-02-24 19-10-14.mp4

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0

Steps to reproduce:

Steps to reproduce

  1. visit 'iplogger.org' website and login there than in invisible image section click on Get_ip_logger_code

  2. copy those links and go to the website https://support.mozilla.org/en-US/forums/contributors/ and click on 'post a new thread'

  3. Add a title and in body section enter

<img src='your_ip_logger_image_src' />

and POST that Topic.

  1. refresh the page and check logs in your IP logger you will get your IP and current location. Whenever anyone visits this thread you will get their IP, exact location and more information in your Iplogger.

If you require any further more information please feel free to look back to me.

Actual results:

Summary :

This vulnerability allows an attacker to fetch the user's IP Address, in which country they live, region, and what ISP they use.

This vulnerability can be found in the places where you have an option to upload photos using img tag while creating new thread in the discuss section

Impact

As you can see an attacker is able to get sensitive information from the user. An attacker can also trace the record of who is visiting your site and from where your users belong and i researched a lot of big company community section, they have loaded image by their company ip not by users ip.

Expected results:

Mitigation

The image load request by company IP only not using user IP Or Users need admin approval when getting a comment post publicly

Frida, can you put this in front of the right people? Thank you.

Group: firefox-core-security → websites-security
Component: Untriaged → Forum
Flags: needinfo?(fkiriakos)
Product: Firefox → support.mozilla.org
Summary: vulnerability that steals users data → support.mozilla.org allows extracting request information from readers/visitors by posting comments/threads containing `<img src` tags pointing to arbitrary hosts
Version: Firefox 97 → unspecified

will do, thanks.

Flags: needinfo?(fkiriakos)

Hello,

Thank you for your report. I will check with the team responsible for this service to get their input.

Thanks,
Frida

Hello Leo,

Can you please take a look at this issue? Do we intentionally allow HTML to be included in the post description?

Thanks,
Frida

Flags: needinfo?(lmcardle)

Sorry for interruption. As far as i know in the post description we can insert img tag in in your platform. But it is not a concert for this bug because every other big company also included feature of including absolute url of image. But either they have generated a new link for that image or requesting that image through their own ip address instead of users ip address.

Thanks.

Any update ?

I have requested information from the engineering team and waiting for them to look into the issue.

Thanks,
Frida

Flags: needinfo?(lmcardle)

Hello Tasos,

Can you please take a look at this bug?

Thanks,
Frida

Flags: needinfo?(tasos)
Status: UNCONFIRMED → NEW
Ever confirmed: true

While looking into other bugs, I learned that comments with HTML are marked for moderation to prevent this type of issues, so I tried to reproduce the issue and my comment with the img tags was not flagged for moderation. I am curious why this URL is not being caught by the filter.

Assignee: nobody → tasos
Flags: needinfo?(tasos)

I opened a PR to introduce CSP headers into the project. I suspect this PR will help with a few other related bugs.
https://github.com/mozilla/kitsune/pull/5098

Hello team,

I just want to know Is this report is eligible for Bounty?

Thanks

Flags: sec-bounty?

I flagged the report for bounty consideration. Once the issue is fixed, the bug bounty panel will discuss and decide on the bounty.

Thanks,
Frida

Status: NEW → ASSIGNED
Attached image csp community.png

Seems like these changes have caused some regressions in stage, concerning broken images, in particular the FxA avatar image.
About every page gets the console message "Content Security Policy: The page’s settings blocked the loading of a resource at [example location]" or some variety of it when the user is signed in or in the case of external links.
Some of the areas where this is also visible on the UI side:
https://support.allizom.org/en-US/messages
https://support.allizom.org/en-US/community/search?q=straw%2B73

CSP has been added to the project and released in prod.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Any update about bounty ?

Thanks

Thank you for reporting this issue to us. Now that the issue is fixed, the bug bounty team will be reviewing your report over the upcoming weeks to decide on the award (if any) Mozilla will be granting for this report. It may take up to 3 weeks but know that we've not forgotten this ticket, we have a tracking system and a review cadence that will ensure that all potentially bounty eligible reports get reviewed and acted on.

(In reply to orionjoshi123 from comment #11)

I just want to know Is this report is eligible for Bounty?

This bug does not match any of the categories covered by out bug bounty program, but we are awarding a Hall of Fame for you help in keeping our users' personal information safer.

Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-

extracting personal information of users still no bounty lol.

Hello,

Please refer to comment 17 which explains our decision, if you still need to discuss the bounty, please send us an email to security@mozilla.org to explain why this report should be awarded.

In the meantime, please let us know how you would like to be mentioned on hall of fame.

Thanks,
Frida

I would like to mention as Orion Joshi(https://www.linkedin.com/in/orionjoshi/)

Group: websites-security

Hello Team,

Does Mozilla Update hall of fame at the end of every year right or ...?

Thanks

Hello,

We update the hall of fame at the end of each quarter.

Thanks,
Frida

Hello Team,
Any update on HOF ?

Unfortunately, we still did not get a chance to update HoF for last quarter. We will try our best to update the site as soon as we can.

Thank you for your patience.

Hi Team,
Thank you for HOF but I requested to put Orion Joshi (https://www.linkedin.com/in/orionjoshi/) but there is orionjoshi123. Can you please put exactly what I have requested with the social media link?

Thanks and regards

Thanks for letting us know, we will fix this.

Thanks,
Frida

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: