Closed Bug 1764723 Opened 3 years ago Closed 3 years ago

Bypass moderation check when posting images or links to external domain in support.mozilla.org

Categories

(support.mozilla.org :: General, defect)

Product:
support.mozilla.org
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: haxatron1, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Typically, users messages have to undergo moderation when they post images to external domain.

But, it is possible to bypass this check by using double back slash, which signify a protocol relative URI. (see https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL#:~:text=A%20protocol%2Drelative%20URL%20(PRURL,t%20support%20HTTPS%20at%20all.)

Payload:

<img src="\example.com">

Will cause requests to example.com (external domain)

As such, it is possible to bypass the moderation entirely and post a broken image to external domain. This can be abused by attackers to collect IP address information from users.

Flags: sec-bounty?

<img src="\\example.com">

Yea sorry it should be

<img src="\\example.com">

The bugzilla form escaped some of my backtick characters

Hello,

Thank you for your report.

I can confirm that the HTML with <img src="\\example.com"> in the comment bypassed moderation.

Thanks,
Frida

Status: UNCONFIRMED → NEW
Type: task → defect
Component: Other → General
Ever confirmed: true
Product: Websites → support.mozilla.org

On further analysis, I found out that <img src="http://example.com"> also works, the reason why the link filter is not picking up the external URL is because it is bugging out when there is a " at the end

For example, posting the link http://example.com in plaintext will flag your comment for moderation

but posting http://example.com" will defeat the allow-list link filter and cause it to render as a link.

Summary: Bypass moderation check when posting images to external domain in support.mozilla.org → Bypass moderation check when posting images or links to external domain in support.mozilla.org

Hello Tasos,

Can you please check this report? It is possible to bypass moderation by using \\example.com as the URL.

Thanks,
Frida

Flags: needinfo?(tasos)

The regex to moderate links was never designed as a solution to block all links but rather as a measure to discourage people to post external links. Even if a link passes though, CSP will block any XSS attempt here. Because of these reasons, I am leaning towards marking this bug as WONTFIX. Please reopen if I misunderstood something here.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(tasos)
Resolution: --- → WONTFIX
Flags: sec-bounty? → sec-bounty-
Group: websites-security
You need to log in before you can comment on or make changes to this bug.