Closed Bug 748105 Opened 13 years ago Closed 11 years ago

HTTP Parameter Pollution Vulnerability on www.mozilla.org

Categories

(www.mozilla.org :: Pages & Content, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: netfuzzerr, Unassigned)

Details

Attachments

(1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.8 (KHTML, like Gecko) Chrome/20.0.1105.2 Safari/536.8 Steps to reproduce: Hello, On Brazilian download page of Firefox is vulnerable to HPP attacks(https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf). That kind of flaw can allow the victim to be redirected to external websites while clicking on "Click aqui!"(Click Here!) for download the Firefox. Reproduce: 1. Open http://www.mozilla.org/pt-BR/download/?product=firefox-11.0%26product%3dtesting...&os=win&lang=pt-BR. 2. Click on "Click Aqui!" link. 3. See you be redirected to error page. To fix this, is just escape correctly "&" e "=". Cheers, Mario.
URL: feed:javascript
Attached file Testing...(Just works here) (obsolete) —
Attachment #627506 - Attachment mime type: application/octet-stream → application/xhtml+xml
This is certainly a bug, but we will need to talk to developers to see if there are other parameters on that page that would make this a security issue if they were altered via GET. The sample you sent sends the user to an error page, but do you know of other parameters that can be altered that would introduce a vulnerability? I'm hesitant to mark it as "new" until a security issue exists. If not, we could move this to website bugs, non-security.
Also, for example, you could trick the user into downloading another product, but only one provided by Mozilla. This link below appears to be the download page for Firefox, but clicking "Click Here" causes the download to begin for Thunderbird. http://www.mozilla.org/pt-BR/download/?product=firefox-12.0%26product%3dthunderbird-13.0.1&os=win&lang=pt-BR
Attachment #627506 - Attachment is obsolete: true
Nop, there is no param that allows redirect to www.evil.com. (In reply to Matt Fuller from comment #2) > This is certainly a bug, but we will need to talk to developers to see if > there are other parameters on that page that would make this a security > issue if they were altered via GET. The sample you sent sends the user to an > error page, but do you know of other parameters that can be altered that > would introduce a vulnerability? > > I'm hesitant to mark it as "new" until a security issue exists. If not, we > could move this to website bugs, non-security.
Thank you - I'm going to CC a webdev working on the Brazil site and hopefully he can take a look at it. Otherwise, I do not believe this to be a security issue (although it could have been if other parameters were used). Thank you for reporting.
Group: websites-security
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
Mario: stop playing with bmo to try to find security issues! You are spamming a lot of people. We already warned you several times to test Bugzilla elsewhere. Thank you!
It's not pt-BR specific, ftr... There are other locales (except for en-US) with this issue as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Group: mozilla-corporation-confidential
raymond, please unmark this as mozilla-corporation-confidential. Matt already decided that this was just a bug and not directly a security issue. In general, group settings like mozilla-corporation-confidential should not be used for security-related things.
Just unchecked it - sorry, forgot to remove it a while ago when we determined it was a bug and not a security risk. Matt
Group: mozilla-corporation-confidential
Mario, if you are testing bugzilla, can you please use landfill? Unless comment 10 is somehow related to the bug which it doesn't appear to be. Thanks, Matt
No longer blocks: mozorg-redirects
Component: General → Pages & Content
i'm not able to reproduce it anymore.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: