Closed
Bug 628697
Opened 13 years ago
Closed 13 years ago
Directory Traversal / Local File Inclusion on addons.mozilla.org
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect, P1)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: neal, Assigned: clouserw)
References
()
Details
(Whiteboard: [infrasec:input][ws:critical])
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Build Identifier: app/controllers/pages_controller.php in the CakePHP code for AMO is vulnerable to a local file inclusion vulnerability. It takes user input via the query string to determine which template should be loaded. By injecting URL-encoded slashes and a URL-encoded null byte, it is possible to use arbitrary files on the filesystem as templates, echoing their content to the page. My proof of concept loads the /etc/passwd file for the AMO server. Reproducible: Always Steps to Reproduce: 1. Go to https://addons.mozilla.org/en-US/firefox/pages/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd%2500 2. See the contents of /etc/passwd
|
||
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•13 years ago
|
Whiteboard: [ws:need triage]
|
|
||
Updated•13 years ago
|
Severity: critical → blocker
Priority: -- → P1
Whiteboard: [ws:need triage] → [infrasec:input][ws:critical]
|
||
Comment 1•13 years ago
|
||
Confirmed ability to view any system files. Password hashes are not exposed. The password file is shadowed and the shadow file is not viewable. Unclear if local php files would render. Need to find a local php file to test that.
|
Reporter | |
Comment 2•13 years ago
|
||
https://addons.mozilla.org/en-US/firefox/pages/..%252f..%252fconfig/config.php%2500 Displays nothing, indicating it is being parsed as PHP https://addons.mozilla.org/en-US/firefox/pages/..%252f..%252fviews/admin/serverstatus.thtml%2500 This is echoing out REVISION, indicating it is being parsed as PHP (which makes sense, since thtml files are PHP). I tried uploading a search XML file containing PHP inside of an HTML comment (<!-- <?php passthru('whoami') ?> -->) but I'm not sure where on the filesystem the file is actually being stored, so I couldn't execute it.
|
Assignee | |
Comment 3•13 years ago
|
||
Thanks for the bug report, this is fixed in r81567
Assignee: nobody → clouserw
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 4•13 years ago
|
||
Neal, Thanks again. You should see that the issue is fixed on the live servers. Front end caching may show you the stale data for a few minutes. You can append &a=b to the url to force new data. This bug will be submitted for bug bounty review.
|
|
Reporter | |
Comment 7•13 years ago
|
||
Looks good from here too! Thanks for such a speedy response. :)
|
|
||
Updated•13 years ago
|
Group: client-services-security
|
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•11 years ago
|
Flags: sec-bounty+
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•