This URL contains a double slash // and the login form on Bugzilla redirects me outside bugzilla.org, in my case paul.fr (but I suspect it depends on your locale, in my case: french). Discussing with CTho on #developers, it looks like the login and password have been sent to paul.fr instead of landfill.bugzilla.org, meaning that they have now my admin login and password for our QA installations. I'm using Fx 188.8.131.52 20060111.
Reproduced on XP trunk SeaMonkey, updating OS/Version. "paul" doesn't resolve to anything for me though, so data I enter goes nowhere and I just get an error page.
Created attachment 209980 [details] http log gavin asked me to attach my http log while reproducing the problem.
As far as I can tell, this isn't a bug. You are ending up at paul.fr because that's what "paul" ends up being, after being passed through the keyword protocol handler (you should get the same result typing just "paul" in the address bar). None of the submitted data is actually being forwarded to the keyword result, as far as I can tell. You can test this by setting keyword.url to something like "http://gavinsharp.com/tmp/echo.php?keyword=", which just echoes passed in data, and following the same steps to reproduce. Without the data being passed, this bug is essentially just "you get redirected unexpectedly", and there are existing bugs on not redirecting to keyword.url for things not explicitly typed in the URL bar (bug 310826?).
OK, so feel free to INVALIDate this bug.
Created attachment 209985 [details] a testcase This testcase doesn't involve keywords, and does send gavin your password.
Is this a landfill bug in the way it handles multiple installations? The form action is derived from the URL. If you don't specify the double-slash and visit the intended http://landfill.bugzilla.org/paul/ then the form action is "/paul/index.cgi" which logs into landfill. If you use the double-slash it's copied into the form action making 'paul' a hostname. Landfill should do some sanity-checking when generating the form action, or specify the complete url. Why is this filed as a networking bug? It looks like Gecko is doing exactly what the page is telling it to do (submit the form to "paul").
(In reply to comment #6) > Why is this filed as a networking bug? It looks like Gecko is doing exactly > what the page is telling it to do (submit the form to "paul"). I think the question is, is treating // as http:// instead of / a good decision from a security perspective? Presumably bugzilla isn't the only software in the world that fails to strip double-slashes.
The problem is not specific to landfill, it affects *all* Bugzilla installations. The problem is that template/en/default/account/auth/login-small.html.tmpl uses: <form name="login" action="[% cgi.script_name FILTER html %]" method="POST"> so when you enter //foo, you get action="//foo/index.cgi" which redirects you outside your Bugzilla installation with your login and password. It could as well be a bug in CGI.pm itself. Anyway, Bugzilla should probably use Param('urlbase').
Either comment 7 is a WONTFIX and I move this bug in the Bugzilla product or I open a new bug for Bugzilla. dveditz?
bug 325079 has been opened to fix the bug in Bugzilla (affects versions >= 2.20).
(In reply to comment #7) > I think the question is, is treating // as http:// instead of / a good decision > from a security perspective? It's in the spec (rfc 2396 section 5): "A relative reference beginning with two slash characters is termed a network-path reference, as defined by <net_path> in Section 3. Such references are rarely used." We can decide they're bad news but we'll be breaking some unknown number of sites. IE does the same so "fixing" Gecko doesn't solve the bugzilla problem.
So given the that this is correct per the spec, and that exploiting it requires that the server uses the "script name" as a form action attribute in addition to having a URL-like path to the script, I think this is INVALID.
*** This bug has been marked as a duplicate of 325079 ***
This bug this is a duplicate of has now had a security advisory issued. http://www.bugzilla.org/security/2.18.4/ (issue #3) Removing the security flag.