Allowing redirect to external site using network-path reference (signin?return=//example.com)

VERIFIED FIXED

Status

Websites Graveyard
getpersonas.com
VERIFIED FIXED
7 years ago
4 years ago

People

(Reporter: Jan Moesen, Assigned: Barry Chen)

Tracking

unspecified
Bug Flags:
sec-bounty +

Details

(Whiteboard: [infrasec:input][ws:high], URL)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b9pre) Gecko/20101218 Firefox/4.0b9pre
Build Identifier: 

A GetPersonas.com user can be tricked into going to an external site by using a scheme-less value for the "return" parameter.

For instance, example.com/signin hosts a copy of the GetPersonas.com sign-in page, but claims the password was incorrect and steals the user's credentials on his/her subsequent sign-in attempt.

Background: http://tools.ietf.org/html/rfc3986#section-4.2

Reproducible: Always

Updated

7 years ago
Whiteboard: [ws:need triage]
Whiteboard: [ws:need triage] → [infrasec:input][ws:moderate]
The POC does not appear to work in FF3.6 or FF4b8.  

https://www.getpersonas.com/en-US/signin?return=%252F%252Fgoo.gl

Can you revisit and provide steps to reproduce this issue?
Whiteboard: [infrasec:input][ws:moderate] → [infrasec:input][ws:moderate] need info
Whiteboard: [infrasec:input][ws:moderate] need info → [infrasec:input][ws:need triage]
Duplicate of this bug: 624823
Confirmed. This issue is pervasive throughout getpersonas.

The fundamental problem here is accepting and trusting user data from the
"return" parameter.
Whiteboard: [infrasec:input][ws:need triage] → [infrasec:input][ws:high]
You can see what we did for remora at http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/users_controller.php?view=markup#l320 although it sounds like the problem here is that it isn't prepending the hostname.
Assignee: nobody → chenba
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 6

7 years ago
Created attachment 506347 [details] [diff] [review]
prevent redirect to external site with 'return' param on log in/out

Remove white spaces and not allow // in the 'return' param.
Attachment #506347 - Flags: review?
(Assignee)

Comment 7

7 years ago
Created attachment 506348 [details] [diff] [review]
prevent redirect to external site with 'return' param on log in/out

This patch removes white spaces for real.
Attachment #506347 - Attachment is obsolete: true
Attachment #506348 - Flags: review?
Attachment #506347 - Flags: review?
Attachment #506348 - Flags: review? → review?(telliott)
Attachment #506348 - Flags: review?(telliott) → review+
(Assignee)

Comment 8

7 years ago
Committed @ r81656
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 9

7 years ago
Hi Jan,

Please check e-mail from chofmann@mozilla.com for bounty information on this bug.
Duplicate of this bug: 630450
First case from bug 630450:

[15:45:49.770] GET https://personas.stage.mozilla.com/en-US/signin?action=signout&return=//www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards [HTTP/1.1 302 Found 70ms]
[15:45:49.841] GET https://personas.stage.mozilla.com/?signout_success=1 [HTTP/1.1 302 Found 20ms]
[15:45:49.872] GET https://personas.stage.mozilla.com/en-US/?signout_success=1 [HTTP/1.1 200 OK 16ms]

Second case from bug 630450:

[15:49:14.989] GET https://personas.stage.mozilla.com/en-US/signin?return=//attacker.in [HTTP/1.1 200 OK 20ms]
[15:49:19.480] POST https://personas.stage.mozilla.com/en-US/signin [HTTP/1.1 302 Found 18ms]
[15:49:19.556] GET https://personas.stage.mozilla.com/ [HTTP/1.1 302 Found 27ms]
[15:49:19.621] GET https://personas.stage.mozilla.com/en-US/ [HTTP/1.1 200 OK 85ms]

Verified FIXED.
Status: RESOLVED → VERIFIED
Created attachment 508928 [details]
Post-fix screenshot

Updated

7 years ago
Duplicate of this bug: 631389

Comment 14

7 years ago
The patch is incomplete. I recommend prepending a "/" to the the return_url.

Testcase

https://personas.stage.mozilla.com/en-US/signin?action=signout&return=a:data:text/html,%3Chtml%3E%3Cscript%3Ewindow.location=%22http:!!www.mozilla.org%22.replace(/!/g,%22/%22)%3C/script%3E%3C/html%3E
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 15

7 years ago
Created attachment 509685 [details] [diff] [review]
prepend a / if the 'return' path does start with it

@dchan thanks
Attachment #509685 - Flags: review?(telliott)
Attachment #509685 - Flags: review?(telliott) → review+
(Assignee)

Comment 16

7 years ago
committed @ r82098
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED

Comment 18

7 years ago
Yes, the expected behavior is that the link does not redirect outside of getpersonas. The redirect happens to result in a 404 in this case.

Changing to VERIFIED
Status: RESOLVED → VERIFIED
Group: websites-security

Updated

5 years ago
Blocks: 835427
Component: getpersonas.com → getpersonas.com
Product: Websites → Websites Graveyard
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.