Closed Bug 619467 Opened 14 years ago Closed 14 years ago

Arbitrary PHP Execution / XSS on support.mozilla.com

Categories

(support.mozilla.org :: Knowledge Base Software, task)

Product:
support.mozilla.org
Component:
Knowledge Base Software
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: neal, Assigned: paulc)

References

(
URL
)

Details

(Keywords: wsec-xss, Whiteboard: [infrasec:xss][infrasec:osinject][ws:critical])

Attachments

(1 file)

Favicon with PHP/XSS
322 bytes, image/gif
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: 

I discovered that it is possible to upload arbitrary PHP scripts to support.mozilla.com using image upload facilities. A malicious PHP script can be embedded in the "comments" of a GIF: the file itself will be a valid GIF but the PHP parser will treat the code inside it as valid.

My first attempt was to upload a file via the profile image upload system: I was able to upload a file with a .php extension (I shouldn't be allowed to do that). However, the system converts files from GIF to JPEG, which wiped out my comments. I didn't take the time to see if there was a way to get around that system.

My next (and successful) attempt was via the "Add an image to a question" functionality. I submitted a POST to https://support.mozilla.com/en-US/upload/image/questions.Question/770771 containing a malicious but valid GIF file (favicon12345.php) with embedded PHP (<?php passthru('whoami') ?>). The file also included a simple XSS test (<script>alert('a')</script>). To my surprise, the file uploaded without any issues and I could browse to it and see the results (an alert box and "apache" in the text of the GIF). It would be trivial for me to turn this exploit into a remote shell into the system (replace 'whoami' with $_GET['c'] in the example above)

Reproducible: Always

Steps to Reproduce:
1. Find GIF file
2. Use Imagemagick or similar utility to add PHP code
3. Rename file to end in .php
4. Upload to support.mozilla.com
5. Browse to the file directly, see code execution
Investigating issue
Whiteboard: [infrasec:xss][ws:critical]
Status: UNCONFIRMED → NEW
Component: Forum → Knowledge Base Software
Ever confirmed: true
QA Contact: forum → kb-software
Whiteboard: [infrasec:xss][ws:critical] → [infrasec:xss][infrasec:osinject][ws:critical]
The media gallery feature is also vulnerable. I uploaded the same proof of concept: https://support.mozilla.com/media/uploads/gallery/images/favicon.php
Severity: critical → blocker
Priority: -- → P1
We don't need to execute PHP anymore, can we just remove mod_php?
This should be fixed now.

(In reply to comment #3)
> We don't need to execute PHP anymore, can we just remove mod_php?

That depends on if those machines are completely dedicated to SUMO or not, I would think...
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Neal, can you upload the gif you used?
Attached image Favicon with PHP/XSS 
You can use the Imagemagick CLI to generate your own malicious image using the following command:

convert -comment "HTML/PHP GOES HERE" /path/to/src /path/to/dest

e.g.
convert -comment "<script>alert('a')</script> <?php passthru('whoami') ?>" favicon.ico favicon.jpeg
Reopening, as clyon wants to see if there's anything that can be done at the SUMO app level to better resolve this, even though apache config options are handling it at the server level for now. For one, why are files with .php allowed to be uploaded?
Severity: blocker → major
Status: RESOLVED → REOPENED
Priority: P1 → --
Resolution: FIXED → ---
Yeah, it should be fixed on the client side as well, so it isn't vulnerable if someone else uses the code. I didn't notice this bug was filed against SUMO and not ServerOps.
/me comments on wrong bug. Ignore comment 8!
(In reply to comment #4)
> This should be fixed now.

That "fix" refers to bug 619477 comment 3, which addresses the server-side execution and should address client-side execution, or most of it.

> (In reply to comment #3)
> > We don't need to execute PHP anymore, can we just remove mod_php?
> 
> That depends on if those machines are completely dedicated to SUMO or not, I
> would think...

The sumo cluster (pm-app-sumo0*) is dedicated, yes.

We are currently writing fixes for all image upload paths that will:
* restrict accepted files to images with allowed extensions, and
* pull the binary image data out of the image and resave the file.
(In reply to comment #10)
> We are currently writing fixes for all image upload paths that will:
> * restrict accepted files to images with allowed extensions, and
> * pull the binary image data out of the image and resave the file.

Sounds great! Will these be middleware/commonware type things that can be reused by multiple apps?
Assignee: nobody → james
Status: REOPENED → ASSIGNED
(In reply to comment #11)
> Sounds great! Will these be middleware/commonware type things that can be
> reused by multiple apps?

For today we're just solving this issue. We'll look at pulling it out later.
I downloaded the attachment. I uploaded it into the gallery on master using Live HTTP headers. I saw 'http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchABGL6ABCC-gAQyBT4AAQAB

GET /safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchABGL6ABCC-gAQyBT4AAQAB HTTP/1.1
Host: safebrowsing-cache.google.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9,fr-FR;q=0.7,fr;q=0.6,it-IT;q=0.4,it;q=0.3,en;q=0.1
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: PREF=ID=d3768c14a6311ba9:U=a3649977ab0c4198:FF=0:TM=1292284892:LM=1292355620:S=wJZDomcXFjfbdW0P; NID=41=JlJbZ_skBNqpfSzbwvmsGrRAwHKz7ZIaMU9he62kwd5Pmbih5gvdHlktV4cZJ4tr2fPPVtlj5_w7fsAlNIi_nIcAJ4mxdWYaTvkau_HXh916LTiOtwOYnv36fCru0mMb; SID=DQAAAKsAAAC6jIpW7VAva5qoVoB7CaRejuqprJxjKPKnrk3d16no4fNZcDnyLbD8ggBR417nsxaPAb9mhQxdcWaw5gqbhVr_5qOrtMOyUSefTcnCqRIgdq4QxItIpFwCMjRFi1u7QRBfoeSS4RNRfoNQhZ2pCfTAZnQ3wYgMRv6h62wXAWuCf3WNuPt3t7plC2jlTjknqPiFtxYju-ElLw7yfa0E-QmZ7-obSRoqOYXetPB1N-0qRg; HSID=AMgJudsZFIS8zZn-j
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/vnd.google.safebrowsing-chunk
X-Content-Type-Options: nosniff
Date: Thu, 16 Dec 2010 03:49:38 GMT
Server: Chunked Update Server
Content-Length: 40
X-XSS-Protection: 1; mode=block'

I'm guessing this is sufficient to check- but please let me know if other steps should be taken. If not, please resolve and I'll mark it as verified.
I don't think the Safebrowsing stuff is related, but I can confirm that I'm not able to upload a file with a .php extension anymore (I tested it using LiveHTTPHeaders as well).
yep, this issue is resolved, I think we do want to see a few more things done but for the most part, we are good. 

@james, can we close this and open separate bugs for the items we have discussed? Just want to make sure that we don't forget.
Chris: I filed bug 619629, and we already had bug 596116 for renaming uploaded files.

IIRC from what James said, this bug and those other 2 cover the main things you mentioned.

Closing this bug.
Assignee: james → paulc
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2.4.1
Status: RESOLVED → VERIFIED
The reporter has asked about whether he can disclose this bug now. The fix has been deployed so it appears OK, but paulc filed a couple of dependent bugs (comment 18) so maybe there's more work we'd like to do before potentially putting people at risk from related bugs.
That's me: thanks for the clarification :)
I'd wait another day, we're pushing a minor security fix today (bug 619603). However, the important part was making sure the server sets proper mime type headers, and mcoates says we don't have any other pressing related issue at this time.

I'd like to wait until tomorrow to disclose this.
Please, take as long as you need. I'm not in any hurry: I asked the question because I didn't want to step on anyone's toes by mentioning the vulnerability before people were ready for it to be disclosed. :)
I think we're probably OK to disclose this now, the fix is live and has been. Though I'd be even happier to do it if bug 619603 was verified.
Group: websites-security
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: