Closed
Bug 774085
Opened 13 years ago
Closed 13 years ago
Password used to login to bugzilla.mozilla.org is sent unecrypted
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: eusebiu.blindu, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Steps to reproduce:
Enter username and password to login into bugzilla.mozilla.org
Actual results:
I can steal the username and password if the user logins into bugzilla.mozilla.org using my public proxy service or my public wifi network
the http request looks like this:
POST /index.cgi HTTP/1.1
Host: bugzilla.mozilla.org
Connection: keep-alive
Content-Length: 97
Cache-Control: max-age=0
Origin: https://bugzilla.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://bugzilla.mozilla.org/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wtspl=101353; optimizelyEndUserId=oeu1342353431753r0.7629327399190515; optimizelyCustomEvents=%7B%22oeu1342353431753r0.7629327399190515%22%3A%5B%22Click%20Donate%20Now%22%5D%7D; optimizelyBuckets=%7B%2233162591%22%3A%2233168237%22%7D; VERSION-Websites=Firefox%206; WT_FPC=id=94.112.57.87-2463351648.30237312:lv=1342361616392:ss=1342361525950
DNT: 1
Bugzilla_login=eusebiu.blindu%40testalways.com&Bugzilla_password=Passwordx&GoAheadAndLogIn=Log+in
the last part shows the password used ("Passwordx")
Expected results:
password should be encrypted
(look at gmail login as example)
|
||
Comment 1•13 years ago
|
||
bugzilla.mozilla.org is not available over HTTP, so all passwords should be sent over HTTPS. Are you suggesting that they are not, always? Your HTTP request mentions HTTPS...
Gerv
not related to the fact that it's used http or https.
(I can decrypt the https traffic if an user uses my public proxy )
But it's the body of the request that contains the password
I actually own a public proxy server.
I can set it up in 5 min, just let me know.
use that proxy server and login and I will tell you the username and password
Note: 1) I can't do that for every web app, especially for the secure ones (gmail.com)
2) you can make a minimal of encoding in the request, at least hexa or base64 (although those are easily recognizable formats)
|
||
Comment 4•13 years ago
|
||
I'd be interested in testing your proxy server to see how exactly you can decrypt SSL traffic without the browser throwing an error. Can you set up something for me to use?
well i think browsers act differently.
pls try with chrome too :)
proxy server:
94.112.57.87:8888
just let me know when you are ready
|
|
||
Comment 6•13 years ago
|
||
I'm ready. Trying now.
|
|
||
Comment 8•13 years ago
|
||
Ok, I successfully logged into bugzilla using a test account. Can you tell me what username and password I used? Feel free to share the details here, as I made up the user/pass just for this test.
are you sure you set up the proxy to
94.112.57.87:8888?
can you pls try again (anytime)?
|
|
||
Comment 10•13 years ago
|
||
I'm definitely using it... What are you seeing?
|
Reporter | |
Comment 11•13 years ago
|
||
Can you pls tell me the browser and the exact proxy config with all the options?
I used only Chrome and firefox is blocked when trying to access it
|
|
||
Comment 12•13 years ago
|
||
Ah, I was using Firefox. Let me try from Chrome.
|
|
||
Comment 13•13 years ago
|
||
Ah, sorry, I had the wrong setting set.
I am unable to connect to your proxy:
$ curl -v -I -x 94.112.57.87:8888 https://bugzilla.mozilla.org
* About to connect() to proxy 94.112.57.87 port 8888 (#0)
* Trying 94.112.57.87...
Do you have some type of firewall blocking incoming traffic?
|
|
Reporter | |
Comment 14•13 years ago
|
||
strange...
http://www.t1shopper.com/tools/port-scan/ is showing that port is open
|
|
Reporter | |
Comment 15•13 years ago
|
||
how about if you just use
telnet 94.112.57.87 8888?
|
|
||
Comment 16•13 years ago
|
||
I've tested from multiple machines. Still nothing. Is this an HTTP proxy or a SOCKS proxy or what? No matter what, I can't even open a TCP connection to that IP:port.
|
|
||
Comment 17•13 years ago
|
||
$ telnet 94.112.57.87 8888
Trying 94.112.57.87...
telnet: Unable to connect to remote host: Connection timed out
|
|
Reporter | |
Comment 18•13 years ago
|
||
I think you might have some firewall problems
http://www.t1shopper.com/tools/port-scan/result/ is totally neutral and it shows the port is open.
I will check it more thoroughly myself too..
|
|
Reporter | |
Comment 19•13 years ago
|
||
this is also telling me the proxy is working
http://www.ip-adress.com/Proxy_Checker/
|
|
||
Comment 20•13 years ago
|
||
(In reply to Sebi from comment #18)
> I think you might have some firewall problems
>
> http://www.t1shopper.com/tools/port-scan/result/ is totally neutral and it
> shows the port is open.
>
> I will check it more thoroughly myself too..
I've tried from multiple hosts... Doesn't work.
(In reply to Sebi from comment #19)
> this is also telling me the proxy is working
> http://www.ip-adress.com/Proxy_Checker/
Result:
This Proxy from Czech Republic is not working.
Connection timed out
|
|
Reporter | |
Comment 21•13 years ago
|
||
ok, let me check it for sure from my side.
i will post here a message but it could be tommorow
|
|
Reporter | |
Comment 22•13 years ago
|
||
but before that can you please telnet to
90.183.248.54 8080
this is a proxy from Czech Republic that works for me (to telnet)
(I am trying to see if there is something weird like a country firewall or I have no idea)
|
|
||
Comment 23•13 years ago
|
||
(In reply to Sebi from comment #22)
> but before that can you please telnet to
>
> 90.183.248.54 8080
>
> this is a proxy from Czech Republic that works for me (to telnet)
> (I am trying to see if there is something weird like a country firewall or I
> have no idea)
Yep, that works fine. I can proxy through it.
|
|
Reporter | |
Comment 24•13 years ago
|
||
I changed the port to 80
94.112.57.87:80
can you pls give it a try with that?
|
|
||
Comment 25•13 years ago
|
||
(In reply to Sebi from comment #24)
> I changed the port to 80
>
> 94.112.57.87:80
>
> can you pls give it a try with that?
Nope, still getting connection timed out.
$ curl -v -I -x 94.112.57.87:80 https://bugzilla.mozilla.org
* About to connect() to proxy 94.112.57.87 port 80 (#0)
* Trying 94.112.57.87... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
|
||
Comment 26•13 years ago
|
||
/me sees "invalid" coming... :)
|
|
Reporter | |
Comment 27•13 years ago
|
||
"/me sees "invalid" coming... :)" this is not Skype command line and you monsieur look like an arrogant french (with lowerletter "f") :)
well people I have tried my luck for the bonus anyway
|
||
Comment 28•13 years ago
|
||
marking as invalid.
bugzilla sends credentials over ssl.
if a mitm ssl attack exists, it isn't an issue with bugzilla.
(In reply to Sebi from comment #27)
> "/me sees "invalid" coming... :)" this is not Skype command line and you
> monsieur look like an arrogant french (with lowerletter "f") :)
smiley face or not, insults are not welcome here.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
|
|
||
Updated•13 years ago
|
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•