Closed
Bug 791681
Opened 12 years ago
Closed 11 years ago
Insecure transition from HTTP to HTTPS in form post
Categories
(www.mozilla.org :: Pages & Content, defect, P2)
www.mozilla.org
Pages & Content
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: tapan.krishna3, Assigned: kohei)
References
(Blocks 1 open bug, )
Details
(Keywords: qawanted, verifyme, Whiteboard: [kb=1027511] r=116864, b=trunk)
Attachments
(2 files)
20.60 KB,
patch
|
Details | Diff | Splinter Review | |
2.25 KB,
patch
|
Details | Diff | Splinter Review |
Vulnerability description This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target. Affected items /en-US /en-US/about/partnerships /en-US/collusion /en-US/firefox/organizations /en-US/thunderbird/organizations /en-US/webmaker /projects/calendar/donate.html The impact of this vulnerability Possible information disclosure. ATTACK: Man-in the middle attack FIXING OF VULNERABILITY: The form should be served from a secure (https) page.
Reporter | ||
Updated•12 years ago
|
URL: www.mozilla.org
Severity: normal → critical
Crash Signature: Vulnerability description
This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target.
Component: HTML: Form Submission → Networking: HTTP
Priority: -- → P1
Whiteboard: Very Important Bug Which has to be Fixed Or else Possible information disclosure.
Could you please give a more complete set of steps for reproducing this issue? What URL did you start at, what did you click on? I would like to reproduce this exactly to confirm the issue.
Crash Signature: Vulnerability description
This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target.
Whiteboard: Very Important Bug Which has to be Fixed Or else Possible information disclosure.
Updated•12 years ago
|
Updated•12 years ago
|
Severity: critical → normal
Component: Other → Pages & Content
OS: Windows 7 → All
Priority: P1 → --
Product: Websites → www.mozilla.org
Hardware: x86 → All
Reporter | ||
Comment 2•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #1) > Could you please give a more complete set of steps for reproducing this > issue? What URL did you start at, what did you click on? I would like to > reproduce this exactly to confirm the issue. The Website Uses HTTP Protocol and There Is An Insecure Transition Of data The Attacker Uses Man-In-The-Middle Attack The Name Itself Conveys that between transition of data a man is in the middle and getting every data that is transit between a client and server The man-in-the-middle attack in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances EXample: An attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle. To Patch This Vulnerability: HTTPS Protocol Must Be Used To Prevent Data And Information Disclosure. Thank You, --- Tapan
Reporter | ||
Updated•12 years ago
|
Severity: normal → critical
Priority: -- → P2
Reporter | ||
Updated•12 years ago
|
Severity: critical → major
I understand what the vulnerability is, I am trying to find out exactly what mozilla urls you are seeing this on and the steps you took to find the issue so I can confirm it and get it to someone to fix. So if you could please give me full urls and the steps you took where you see a transition between HTTP and HTTPS that would be helpful.
Severity: major → normal
Priority: P2 → --
Reporter | ||
Comment 4•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #3) > I understand what the vulnerability is, I am trying to find out exactly what > mozilla urls you are seeing this on and the steps you took to find the issue > so I can confirm it and get it to someone to fix. So if you could please > give me full urls and the steps you took where you see a transition between > HTTP and HTTPS that would be helpful. http://www.mozilla.org/en-US http://www.mozilla.org/en-US/about/partnerships http://www.mozilla.org/en-US/collusion http://www.mozilla.org/en-US/firefox/organizations http://www.mozilla.org/en-US/thunderbird/organizations http://www.mozilla.org/en-US/webmaker http://www.mozilla.org/projects/calendar/donate.html All websites use HTTP Protocol .. to fix it Use HTTPS Protocol for all the websites will help you in solving This vulnerability.
Reporter | ||
Updated•12 years ago
|
Severity: normal → major
Priority: -- → P2
Thank you we will check these out. Please do not set the importance flags, the developer will set those once these are confirmed.
Severity: major → normal
Priority: P2 → --
Of all the pages these 2 might have an issue we should look further at http://www.mozilla.org/en-US/about/partnerships * possible privacy issue https://www.mozilla.org/projects/calendar/donate.html * has a direct link to paypal I also don't think this is not security-sensative so I am un-hiding this bug, we might want to consider some changes but as this goes from http->https and not the other way round.
Group: websites-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 7•12 years ago
|
||
In reply to Curtis Koenig [:curtisk] from comment #6) Okay Sir As Soon as the protocol is changed. the vulnerability will be eradicated and mozilla will become man in the middle attack bug free sir. Thank you for considering my report. --- Tapan
Reporter | ||
Comment 8•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #6) Till now did not receive any kind of mail about this respective bug sir. The Status is new but this bug is not yet removed or resolved. I Like To Know The Status Of This Bug Sir. Thank you. --- Tapan
This is extremely low priority and not likely to get any attention in the near term. Primary as the data being that could be compromised is not private nor sensitive. So while this behavior is not preferred it does not pose a security issue at this time. When someone is available and inclined to work on it the bug will be assigned and dealt with.
Assignee | ||
Updated•12 years ago
|
Blocks: mozorg-mixedcontent
Comment 10•12 years ago
|
||
Bug 843977 and it's dependents have been filed to remove Mixed Content from mozilla Affiliated sites before the Mixed Content Blocker lands on stable in August. Please replace the form target with an https link. Marking this as P2.
Priority: -- → P2
Assignee | ||
Comment 11•12 years ago
|
||
I'll send a pull request for www.mozilla.org. Bug 866994 is for blog.mozilla.org.
Assignee | ||
Comment 12•12 years ago
|
||
I just set up a local develop environment of Bedrock! Pull request: https://github.com/mozilla/bedrock/pull/928 While investigating this issue, I have noticed that the SMS form on this page is showing a rock icon even though the submission is insecure. http://www.mozilla.org/en-US/firefox/sms/
Assignee | ||
Comment 13•12 years ago
|
||
I'll make a PHP patch because some key pages are still on the PHP side like this: http://www.mozilla.org/en-US/firefox/beta/
Assignee: nobody → kohei.yoshino.bugs
Status: NEW → ASSIGNED
Assignee | ||
Comment 14•12 years ago
|
||
Assignee | ||
Comment 15•12 years ago
|
||
Comment 16•12 years ago
|
||
(In reply to Kohei Yoshino from comment #12) > While investigating this issue, I have noticed that the SMS form on this > page is showing a rock icon even though the submission is insecure. > http://www.mozilla.org/en-US/firefox/sms/ Thanks for catching this Kohei! This is an HTTP page that posts a phone number over HTTP, which is not secure and should not show a lock icon. This is a misuse of the lock icon and Mozilla should remove this. We would like to train our users to look at the lock icon in the address bar, since that is the true indicator of the security level of the page. Adding this lock next to the form only confuses users. The confusion could lead them to be more susceptible to attacks/phishing in the future. On a Separate Note - If a page is fully HTTPS (there no mixed content loaded on the page), it will show the lock icon. BUT, it may still have a form that posts to http. If a user edits the form and hits submit, they will get a warning before the post goes through. The warning looks like this: https://people.mozilla.com/~tvyas/MixedContentPost.png
Comment 17•11 years ago
|
||
I'm tracking the bugs that are blocking 843977, the mixed content bug. Is there an expected date that the changes will be made?
Flags: needinfo?(kohei.yoshino.bugs)
Assignee | ||
Comment 18•11 years ago
|
||
Once I get a write access to the SVN repo (Bug 880130) I'll commit the changes to trunk and make them ready for review.
Flags: needinfo?(kohei.yoshino.bugs)
Comment 20•11 years ago
|
||
Thanks Kohei! Can you let me know when the ticket can be closed?
Assignee | ||
Comment 21•11 years ago
|
||
A(In reply to Kohei Yoshino [:kohei] from comment #14) > Created attachment 755873 [details] [diff] [review] > Patch for the PHP side: /projects/mozilla.com/trunk/ Tested locally and applied this patch to trunk at r116864. The affected pages include https://www-dev.allizom.org/en-US/firefox/beta/ https://www-dev.allizom.org/en-US/press/speakerrequest/ https://www-dev.allizom.org/en-US/newsletter/ I'll also update my pull request for Bedrock. Can someone apply my patch in the comment 15 to trunk? (In reply to Adam Muntner :adamm from comment #20) > Can you let me know when the ticket can be closed? Hopefully this week :)
Keywords: qawanted
Assignee | ||
Updated•11 years ago
|
Whiteboard: r=116864
Comment 22•11 years ago
|
||
I just looked at the bug and I while I'm not a github expert I think it's saying that the merge didn't happen yet. Do you know what it's waiting on?
Assignee | ||
Comment 23•11 years ago
|
||
* PHP/SVN: r116864 needs to be QAed, then merged to the stage/production branch * PHP/SVN: a patch in comment 15 needs to be committed to the trunk branch, QAed, then merged to the stage/production branch * Python/Git: https://github.com/mozilla/bedrock/pull/928 needs to be QAed, then merged to the master branch
Whiteboard: r=116864 → r=116864, b=trunk
Comment 24•11 years ago
|
||
Any update here? The Mixed Content Blocker is moving to beta today. And the beta download page has mixed content on it: Release version - https://www.mozilla.org/en-US/firefox/beta/ Fixed dev version - https://www-dev.allizom.org/en-US/firefox/beta/ We are going to ask users/developers/contributors to install Firefox beta and test out the blocker, so the fact that our beta download page has mixed content on it doesn't look good.
Comment 25•11 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #24) > Any update here? The Mixed Content Blocker is moving to beta today. And > the beta download page has mixed content on it: > > Release version - https://www.mozilla.org/en-US/firefox/beta/ > Fixed dev version - https://www-dev.allizom.org/en-US/firefox/beta/ > > We are going to ask users/developers/contributors to install Firefox beta > and test out the blocker, so the fact that our beta download page has mixed > content on it doesn't look good. Everything is fixed from comment 23. We are waiting for a review, QA and merge. Firefox OS is our P1 right now for a few more days and our team is on the hook for the entire Firefox OS consumer website that is still being developed.
Updated•11 years ago
|
Whiteboard: r=116864, b=trunk → [kb=1027511] r=116864, b=trunk
Assignee | ||
Comment 26•11 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #23) > * PHP/SVN: r116864 needs to be QAed, then merged to the stage/production > branch > * PHP/SVN: a patch in comment 15 needs to be committed to the trunk branch, > QAed, then merged to the stage/production branch > * Python/Git: https://github.com/mozilla/bedrock/pull/928 needs to be QAed, > then merged to the master branch Can someone review these changes? Firefox 23 is on the way.
Comment 27•11 years ago
|
||
Kohei, is there anything I can do to facilitate getting the review done? Last I heard FF23 hits stable on Aug 6.
Comment 28•11 years ago
|
||
Comment 23 provides links to the areas that need code reviewed and merged.
Comment 29•11 years ago
|
||
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/fbb8d94cc6365493114ba73afe86d8fff48b689b Bug 791681 - Insecure transition from HTTP to HTTPS in form post https://github.com/mozilla/bedrock/commit/8223d36658c25ce02d9756f296dd3962a505cbc7 Merge pull request #928 from kyoshino/bug-791681-form-https Bug 791681 - Insecure transition from HTTP to HTTPS in form post
Comment 30•11 years ago
|
||
(In reply to [github robot] from comment #29) > Commits pushed to master at https://github.com/mozilla/bedrock > > https://github.com/mozilla/bedrock/commit/ > fbb8d94cc6365493114ba73afe86d8fff48b689b > Bug 791681 - Insecure transition from HTTP to HTTPS in form post > > https://github.com/mozilla/bedrock/commit/ > 8223d36658c25ce02d9756f296dd3962a505cbc7 > Merge pull request #928 from kyoshino/bug-791681-form-https > > Bug 791681 - Insecure transition from HTTP to HTTPS in form post Was this a push to production? Is this bug fixed?
Keywords: verifyme
Comment 31•11 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #30) > (In reply to [github robot] from comment #29) > > Commits pushed to master at https://github.com/mozilla/bedrock > > > > https://github.com/mozilla/bedrock/commit/ > > fbb8d94cc6365493114ba73afe86d8fff48b689b > > Bug 791681 - Insecure transition from HTTP to HTTPS in form post > > > > https://github.com/mozilla/bedrock/commit/ > > 8223d36658c25ce02d9756f296dd3962a505cbc7 > > Merge pull request #928 from kyoshino/bug-791681-form-https > > > > Bug 791681 - Insecure transition from HTTP to HTTPS in form post > > Was this a push to production? Is this bug fixed? Yes! marking this bug resolved. QA can verify on production
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 32•11 years ago
|
||
(In reply to Mike Alexis [:malexis] from comment #31) > > Was this a push to production? Is this bug fixed? > > Yes! marking this bug resolved. QA can verify on production Ack, never mind. the github PR was merged and pushed to prod but we still need to review the SVN commits: * PHP/SVN: r116864 needs to be QAed, then merged to the stage/production branch * PHP/SVN: a patch in comment 15 needs to be committed to the trunk branch, QAed, then merged to the stage/production branch
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 33•11 years ago
|
||
Checked my PHP patches... Both attachment 755873 [details] [diff] [review] (r116864) and attachment 755876 [details] [diff] [review] still look fine. I haven't patched to the firstrun and whatsnew pages in the PHP side that are no longer in use, so I think I don't have to revise them. Any other issues?
Comment 34•11 years ago
|
||
Merged mozilla.com changes, r116864, to stage in r118705, production in r118708. Committed mozilla.org changes in r118712. Could still use QA verification. I don't think there are any other issues here.
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•