Closed Bug 791681 Opened 12 years ago Closed 11 years ago

Insecure transition from HTTP to HTTPS in form post

Categories

(www.mozilla.org :: Pages & Content, defect, P2)

Product:
www.mozilla.org
Component:
Pages & Content
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: tapan.krishna3, Assigned: kohei)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: qawanted, verifyme, Whiteboard: [kb=1027511] r=116864, b=trunk)

Attachments

(2 files)

Patch for the PHP side: /projects/mozilla.com/trunk/
20.60 KB, patch
Details | Diff | Splinter Review
Patch for the PHP side: /projects/mozilla.org/trunk/
2.25 KB, patch
Details | Diff | Splinter Review 
Vulnerability description

This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target.

Affected items

/en-US 
/en-US/about/partnerships 
/en-US/collusion 
/en-US/firefox/organizations 
/en-US/thunderbird/organizations 
/en-US/webmaker 
/projects/calendar/donate.html
 
The impact of this vulnerability
Possible information disclosure.

ATTACK: Man-in the middle attack

FIXING OF VULNERABILITY:
The form should be served from a secure (https) page.
URL: www.mozilla.org
Severity: normal → critical
Crash Signature: Vulnerability description This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target.
Component: HTML: Form Submission → Networking: HTTP
Keywords: access, dataloss, highrisk
Priority: -- → P1
Whiteboard: Very Important Bug Which has to be Fixed Or else Possible information disclosure.
Could you please give a more complete set of steps for reproducing this issue? What URL did you start at, what did you click on? I would like to reproduce this exactly to confirm the issue.
Crash Signature: Vulnerability description This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target.
Whiteboard: Very Important Bug Which has to be Fixed Or else Possible information disclosure.
Group: core-security → websites-security
Component: Networking: HTTP → Other
Keywords: access, dataloss, highrisk
Product: Core → Websites
Severity: critical → normal
Component: Other → Pages & Content
OS: Windows 7 → All
Priority: P1 → --
Product: Websites → www.mozilla.org
Hardware: x86 → All
(In reply to Curtis Koenig [:curtisk] from comment #1)
> Could you please give a more complete set of steps for reproducing this
> issue? What URL did you start at, what did you click on? I would like to
> reproduce this exactly to confirm the issue.

The Website Uses HTTP Protocol and There Is An Insecure Transition Of data 
The Attacker Uses Man-In-The-Middle Attack 
The Name Itself Conveys that between transition of data a man is in the middle and getting every data that is transit between a client and server

The man-in-the-middle attack in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances 

EXample: An attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle.


To Patch This Vulnerability:

HTTPS Protocol Must Be Used To Prevent Data And Information Disclosure.


Thank You,

---
Tapan
Severity: normal → critical
Priority: -- → P2
Severity: critical → major
I understand what the vulnerability is, I am trying to find out exactly what mozilla urls you are seeing this on and the steps you took to find the issue so I can confirm it and get it to someone to fix. So if you could please give me full urls and the steps you took where you see a transition between HTTP and HTTPS that would be helpful.
Severity: major → normal
Priority: P2 → --
(In reply to Curtis Koenig [:curtisk] from comment #3)
> I understand what the vulnerability is, I am trying to find out exactly what
> mozilla urls you are seeing this on and the steps you took to find the issue
> so I can confirm it and get it to someone to fix. So if you could please
> give me full urls and the steps you took where you see a transition between
> HTTP and HTTPS that would be helpful.


http://www.mozilla.org/en-US 
http://www.mozilla.org/en-US/about/partnerships 
http://www.mozilla.org/en-US/collusion 
http://www.mozilla.org/en-US/firefox/organizations 
http://www.mozilla.org/en-US/thunderbird/organizations 
http://www.mozilla.org/en-US/webmaker 
http://www.mozilla.org/projects/calendar/donate.html 

All websites use HTTP Protocol .. to fix it Use HTTPS Protocol for all the websites will help you in solving This vulnerability.
Severity: normal → major
Priority: -- → P2
Thank you we will check these out. Please do not set the importance flags, the developer will set those once these are confirmed.
Severity: major → normal
Priority: P2 → --
Of all the pages these 2 might have an issue we should look further at

http://www.mozilla.org/en-US/about/partnerships 
* possible privacy issue

https://www.mozilla.org/projects/calendar/donate.html
* has a direct link to paypal

I also don't think this is not security-sensative so I am un-hiding this bug, we might want to consider some changes but as this goes from http->https and not the other way round.
Group: websites-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
In reply to Curtis Koenig [:curtisk] from comment #6)

Okay Sir As Soon as the protocol is changed. the vulnerability will be eradicated and mozilla will become man in the middle attack bug free sir.

Thank you for considering my report.
---
Tapan
(In reply to Curtis Koenig [:curtisk] from comment #6)

Till now did not receive any kind of mail about this respective bug sir.
The Status is new but this bug is not yet removed or resolved.

I Like To Know The Status Of This Bug Sir. 

Thank you.

---
Tapan
This is extremely low priority and not likely to get any attention in the near term. Primary as the data being that could be compromised is not private nor sensitive. So while this behavior is not preferred it does not pose a security issue at this time. When someone is available and inclined to work on it the bug will be assigned and dealt with.
Blocks: mozorg-mixedcontent
Bug 843977 and it's dependents have been filed to remove Mixed Content from mozilla Affiliated sites before the Mixed Content Blocker lands on stable in August.  Please replace the form target with an https link.

Marking this as P2.
Priority: -- → P2
I'll send a pull request for www.mozilla.org.
Bug 866994 is for blog.mozilla.org.
I just set up a local develop environment of Bedrock!
Pull request: https://github.com/mozilla/bedrock/pull/928

While investigating this issue, I have noticed that the SMS form on this page is showing a rock icon even though the submission is insecure.
http://www.mozilla.org/en-US/firefox/sms/
I'll make a PHP patch because some key pages are still on the PHP side like this:
http://www.mozilla.org/en-US/firefox/beta/
Assignee: nobody → kohei.yoshino.bugs
Status: NEW → ASSIGNED
(In reply to Kohei Yoshino from comment #12)
> While investigating this issue, I have noticed that the SMS form on this
> page is showing a rock icon even though the submission is insecure.
> http://www.mozilla.org/en-US/firefox/sms/

Thanks for catching this Kohei!

This is an HTTP page that posts a phone number over HTTP, which is not secure and should not show a lock icon.  This is a misuse of the lock icon and Mozilla should remove this.  We would like to train our users to look at the lock icon in the address bar, since that is the true indicator of the security level of the page.  Adding this lock next to the form only confuses users.  The confusion could lead them to be more susceptible to attacks/phishing in the future.

On a Separate Note - If a page is fully HTTPS (there no mixed content loaded on the page), it will show the lock icon.  BUT, it may still have a form that posts to http.  If a user edits the form and hits submit, they will get a warning before the post goes through.  The warning looks like this:  https://people.mozilla.com/~tvyas/MixedContentPost.png
I'm tracking the bugs that are blocking 843977, the mixed content bug. Is there an expected date that the changes will be made?
Flags: needinfo?(kohei.yoshino.bugs)
Once I get a write access to the SVN repo (Bug 880130) I'll commit the changes to trunk and make them ready for review.
Flags: needinfo?(kohei.yoshino.bugs)
Looks good! Thank you.
Depends on: 880130
Thanks Kohei! Can you let me know when the ticket can be closed?
A(In reply to Kohei Yoshino [:kohei] from comment #14)
> Created attachment 755873 [details] [diff] [review]
> Patch for the PHP side: /projects/mozilla.com/trunk/

Tested locally and applied this patch to trunk at r116864.
The affected pages include

https://www-dev.allizom.org/en-US/firefox/beta/
https://www-dev.allizom.org/en-US/press/speakerrequest/
https://www-dev.allizom.org/en-US/newsletter/

I'll also update my pull request for Bedrock.
Can someone apply my patch in the comment 15 to trunk?

(In reply to Adam Muntner :adamm from comment #20)
> Can you let me know when the ticket can be closed?

Hopefully this week :)
Keywords: qawanted
URL: www.mozilla.orghttp://www.mozilla.org/
Whiteboard: r=116864
I just looked at the bug and I while I'm not a github expert I think it's saying that the merge didn't happen yet. Do you know what it's waiting on?
* PHP/SVN: r116864 needs to be QAed, then merged to the stage/production branch
* PHP/SVN: a patch in comment 15 needs to be committed to the trunk branch, QAed, then merged to the stage/production branch
* Python/Git: https://github.com/mozilla/bedrock/pull/928 needs to be QAed, then merged to the master branch
Whiteboard: r=116864 → r=116864, b=trunk
Any update here?  The Mixed Content Blocker is moving to beta today.  And the beta download page has mixed content on it: 

Release version - https://www.mozilla.org/en-US/firefox/beta/
Fixed dev version - https://www-dev.allizom.org/en-US/firefox/beta/

We are going to ask users/developers/contributors to install Firefox beta and test out the blocker, so the fact that our beta download page has mixed content on it doesn't look good.
(In reply to Tanvi Vyas [:tanvi] from comment #24)
> Any update here?  The Mixed Content Blocker is moving to beta today.  And
> the beta download page has mixed content on it: 
> 
> Release version - https://www.mozilla.org/en-US/firefox/beta/
> Fixed dev version - https://www-dev.allizom.org/en-US/firefox/beta/
> 
> We are going to ask users/developers/contributors to install Firefox beta
> and test out the blocker, so the fact that our beta download page has mixed
> content on it doesn't look good.

Everything is fixed from comment 23. We are waiting for a review, QA and merge. Firefox OS is our P1 right now for a few more days and our team is on the hook for the entire Firefox OS consumer website that is still being developed.
Whiteboard: r=116864, b=trunk → [kb=1027511] r=116864, b=trunk
(In reply to Kohei Yoshino [:kohei] from comment #23)
> * PHP/SVN: r116864 needs to be QAed, then merged to the stage/production
> branch
> * PHP/SVN: a patch in comment 15 needs to be committed to the trunk branch,
> QAed, then merged to the stage/production branch
> * Python/Git: https://github.com/mozilla/bedrock/pull/928 needs to be QAed,
> then merged to the master branch

Can someone review these changes? Firefox 23 is on the way.
Kohei, is there anything I can do to facilitate getting the review done?

Last I heard FF23 hits stable on Aug 6.
Comment 23 provides links to the areas that need code reviewed and merged.
Commits pushed to master at https://github.com/mozilla/bedrock

https://github.com/mozilla/bedrock/commit/fbb8d94cc6365493114ba73afe86d8fff48b689b
Bug 791681 - Insecure transition from HTTP to HTTPS in form post

https://github.com/mozilla/bedrock/commit/8223d36658c25ce02d9756f296dd3962a505cbc7
Merge pull request #928 from kyoshino/bug-791681-form-https

Bug 791681 - Insecure transition from HTTP to HTTPS in form post
(In reply to [github robot] from comment #29)
> Commits pushed to master at https://github.com/mozilla/bedrock
> 
> https://github.com/mozilla/bedrock/commit/
> fbb8d94cc6365493114ba73afe86d8fff48b689b
> Bug 791681 - Insecure transition from HTTP to HTTPS in form post
> 
> https://github.com/mozilla/bedrock/commit/
> 8223d36658c25ce02d9756f296dd3962a505cbc7
> Merge pull request #928 from kyoshino/bug-791681-form-https
> 
> Bug 791681 - Insecure transition from HTTP to HTTPS in form post

Was this a push to production?  Is this bug fixed?
Keywords: verifyme
(In reply to Tanvi Vyas [:tanvi] from comment #30)
> (In reply to [github robot] from comment #29)
> > Commits pushed to master at https://github.com/mozilla/bedrock
> > 
> > https://github.com/mozilla/bedrock/commit/
> > fbb8d94cc6365493114ba73afe86d8fff48b689b
> > Bug 791681 - Insecure transition from HTTP to HTTPS in form post
> > 
> > https://github.com/mozilla/bedrock/commit/
> > 8223d36658c25ce02d9756f296dd3962a505cbc7
> > Merge pull request #928 from kyoshino/bug-791681-form-https
> > 
> > Bug 791681 - Insecure transition from HTTP to HTTPS in form post
> 
> Was this a push to production?  Is this bug fixed?

Yes! marking this bug resolved. QA can verify on production
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to Mike Alexis [:malexis] from comment #31)

> > Was this a push to production?  Is this bug fixed?
> 
> Yes! marking this bug resolved. QA can verify on production

Ack, never mind. the github PR was merged and pushed to prod but we still need to review the SVN commits:

* PHP/SVN: r116864 needs to be QAed, then merged to the stage/production branch
* PHP/SVN: a patch in comment 15 needs to be committed to the trunk branch, QAed, then merged to the stage/production branch
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Checked my PHP patches... Both attachment 755873 [details] [diff] [review] (r116864) and attachment 755876 [details] [diff] [review] still look fine. I haven't patched to the firstrun and whatsnew pages in the PHP side that are no longer in use, so I think I don't have to revise them. Any other issues?
Merged mozilla.com changes, r116864, to stage in r118705, production in r118708.

Committed mozilla.org changes in r118712.

Could still use QA verification. I don't think there are any other issues here.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: