Closed
Bug 748105
Opened 13 years ago
Closed 11 years ago
HTTP Parameter Pollution Vulnerability on www.mozilla.org
Categories
(www.mozilla.org :: Pages & Content, defect)
www.mozilla.org
Pages & Content
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: netfuzzerr, Unassigned)
Details
Attachments
(1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.8 (KHTML, like Gecko) Chrome/20.0.1105.2 Safari/536.8
Steps to reproduce:
Hello,
On Brazilian download page of Firefox is vulnerable to HPP attacks(https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf). That kind of flaw can allow the victim to be redirected to external websites while clicking on "Click aqui!"(Click Here!) for download the Firefox.
Reproduce:
1. Open http://www.mozilla.org/pt-BR/download/?product=firefox-11.0%26product%3dtesting...&os=win&lang=pt-BR.
2. Click on "Click Aqui!" link.
3. See you be redirected to error page.
To fix this, is just escape correctly "&" e "=".
Cheers,
Mario.
Reporter | ||
Updated•13 years ago
|
URL: javascript:;
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
URL: javascript:"</script/>"; → feed:
Reporter | ||
Updated•13 years ago
|
URL: feed: → javascript
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
URL: javascript'xss → javascript:'xss
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Comment 1•13 years ago
|
||
Reporter | ||
Updated•13 years ago
|
Attachment #627506 -
Attachment mime type: application/octet-stream → application/xhtml+xml
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
URL: javascript:alert(1);
Comment 2•13 years ago
|
||
This is certainly a bug, but we will need to talk to developers to see if there are other parameters on that page that would make this a security issue if they were altered via GET. The sample you sent sends the user to an error page, but do you know of other parameters that can be altered that would introduce a vulnerability?
I'm hesitant to mark it as "new" until a security issue exists. If not, we could move this to website bugs, non-security.
Comment 3•13 years ago
|
||
Also, for example, you could trick the user into downloading another product, but only one provided by Mozilla. This link below appears to be the download page for Firefox, but clicking "Click Here" causes the download to begin for Thunderbird.
http://www.mozilla.org/pt-BR/download/?product=firefox-12.0%26product%3dthunderbird-13.0.1&os=win&lang=pt-BR
Reporter | ||
Updated•13 years ago
|
URL: javascript:alert(1);
Reporter | ||
Updated•13 years ago
|
Attachment #627506 -
Attachment is obsolete: true
Reporter | ||
Comment 4•13 years ago
|
||
Nop, there is no param that allows redirect to www.evil.com.
(In reply to Matt Fuller from comment #2)
> This is certainly a bug, but we will need to talk to developers to see if
> there are other parameters on that page that would make this a security
> issue if they were altered via GET. The sample you sent sends the user to an
> error page, but do you know of other parameters that can be altered that
> would introduce a vulnerability?
>
> I'm hesitant to mark it as "new" until a security issue exists. If not, we
> could move this to website bugs, non-security.
Comment 5•13 years ago
|
||
Thank you - I'm going to CC a webdev working on the Brazil site and hopefully he can take a look at it. Otherwise, I do not believe this to be a security issue (although it could have been if other parameters were used). Thank you for reporting.
Updated•13 years ago
|
Group: websites-security
Assignee | ||
Updated•12 years ago
|
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
Reporter | ||
Updated•12 years ago
|
URL: data:text/html,aaaaa
![]() |
||
Comment 6•12 years ago
|
||
Mario: stop playing with bmo to try to find security issues! You are spamming a lot of people. We already warned you several times to test Bugzilla elsewhere. Thank you!
URL: data:text/html,aaaaa
Comment 7•12 years ago
|
||
It's not pt-BR specific, ftr... There are other locales (except for en-US) with this issue as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•12 years ago
|
Group: mozilla-corporation-confidential
Comment 8•12 years ago
|
||
raymond, please unmark this as mozilla-corporation-confidential. Matt already decided that this was just a bug and not directly a security issue.
In general, group settings like mozilla-corporation-confidential should not be used for security-related things.
Comment 9•12 years ago
|
||
Just unchecked it - sorry, forgot to remove it a while ago when we determined it was a bug and not a security risk.
Matt
Group: mozilla-corporation-confidential
Reporter | ||
Comment 10•12 years ago
|
||
https://bugzilla.mozilla.org/jsonrpc.cgi/.html?method=User.get¶ms=<script>alert(1)</script>
Comment 11•12 years ago
|
||
Mario, if you are testing bugzilla, can you please use landfill? Unless comment 10 is somehow related to the bug which it doesn't appear to be.
Thanks,
Matt
Updated•12 years ago
|
Blocks: mozorg-redirects
Updated•11 years ago
|
No longer blocks: mozorg-redirects
Component: General → Pages & Content
Reporter | ||
Comment 12•11 years ago
|
||
i'm not able to reproduce it anymore.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•