576428 - Disable Detailed Error Messages to Prevent Content Spoofing

Status: RESOLVED FIXED

(support.mozilla.org :: Mobile, task)

Description

[Michael Coates [:mcoates] (acct no longer active)]

Note: This bug addresses WH-3730375, WH-3735150 (same root cause
for both issues)

Issue

Content spoofing is possible by providing user controlled data to specific URL
variables at mobile.support.mozilla.com.  The user controlled data specified within the URL is displayed within the error message on the returned page. An attacker could craft a message which is displayed by the support page and instructs the user to visit a malicious external website.

Vulnerable Variables:
'offset'
https://mobile.support.mozilla.com/tiki-browse_freetags.php?locale=en-US&tag=url&find=&broaden=y&type=&offset=AttackerMessageHere

'maxRecords'
http://mobile.support.mozilla.com/tiki-orphan_pages.php?offset=0&sort_mode=lastModif_desc&initial=a&maxRecords=AttackerMessageHere

`offset'
http://mobile.support.mozilla.com/tiki-orphan_pages.php?offset=AttackerMessageHere&sort_mode=lastModif_desc&initial=a&maxRecords=10


Recommended Remediation

Modify the error handling page to simply display "An unexpected error has
occurred!" Remove the code which displays the specific URL variable and data
that caused the error.

Note: Hopefully this issue can be easily resolved by modifying the error
handling page for tiki-wiki. However, per bug 553099 comment 6, we do not want
to significantly delay the tiki-wiki migration with this issue if the
remediation requires extensive work.

Comment 1

[Michael Coates [:mcoates] (acct no longer active)]

'offset'
https://mobile.support.mozilla.com/tiki-forums.php?locale=en-US&offset=AttackerMessageHere&sort_mode=name_desc

Comment 2

[James Socol [:jsocol, :james]]

This code is gone.

Comment 3

[Will Kahn-Greene [:willkg] ET needinfo? me]

These bugs are all resolved, so I'm removing the security flag from them.