Multiple vulnerabilities on getfirefox.com name server

RESOLVED FIXED

Status

Infrastructure & Operations
WebOps: Other
P2
normal
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Andrew S. Edwards, Assigned: solarce)

Tracking

({sec-moderate})

other
sec-moderate
Bug Flags:
sec-bounty +

Details

(URL)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Steps to reproduce:

Scanned and found multiple vulnerabilities:
getfirefox.com server 64.13.141.6 vulnerabilities

Cross Site Scripting:
url:
http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E
url:
http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E
url:
http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E
url:
http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E
parimeter name: URI-Based
Parameter Type: FullUrl
(phishing attacks, man in the middle attacks, and session hijacking)

PHP Source Code Disclosure:
url:
http://64.13.141.6/packages/openssl-1.0.0_5.tbz
(possibly gives access to databases and admin tools and can increase further attacks)

OpenSSL Version Disclosure:
Version: 1.0.0d
(can be used to find version specific vulnerabilities)

Trace/Track Identified:
(further increases possibility of an XSS attack)

Apache Version Disclosure:
version: 2.2.18
(can be used to find version specific vulnerabilities)

Apache Module Version Disclosure:
version: mod_ssl/2.2.18 OpenSSL/1.0.0d
(can be used to find version specific vulnerabilities)


Actual results:

getfirefox.com server 64.13.141.6 vulnerabilities

Cross Site Scripting:
url:
http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E
url:
http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E
url:
http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E
url:
http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E
parimeter name: URI-Based
Parameter Type: FullUrl
(phishing attacks, man in the middle attacks, and session hijacking)

PHP Source Code Disclosure:
url:
http://64.13.141.6/packages/openssl-1.0.0_5.tbz
(possibly gives access to databases and admin tools and can increase further attacks)

OpenSSL Version Disclosure:
Version: 1.0.0d
(can be used to find version specific vulnerabilities)

Trace/Track Identified:
(further increases possibility of an XSS attack)

Apache Version Disclosure:
version: 2.2.18
(can be used to find version specific vulnerabilities)

Apache Module Version Disclosure:
version: mod_ssl/2.2.18 OpenSSL/1.0.0d
(can be used to find version specific vulnerabilities)


Expected results:

No cross site scripting, no php source code disclosure, no Trace/Track, no Apache or OpenSSL version disclosures.
(Reporter)

Updated

5 years ago
Nameservers for getfirefox.com:
    ns.meer.net
    ns.mozilla.org

Ugh.

Please update to ns[123].mozilla.org and confirm other domains aren't using ns.meer.net or ns.mozilla.org.
Assignee: nobody → server-ops-infra
Group: core-security → websites-security
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Server Operations: Infrastructure
Ever confirmed: true
OS: Windows XP → All
Product: Core → mozilla.org
QA Contact: jdow
Hardware: x86 → All
Version: unspecified → other
$ host getfirefox.com ns.meer.net
Using domain server:
Name: ns.meer.net
Address: 64.13.141.6#53
Aliases: 

Host getfirefox.com not found: 5(REFUSED)
Assignee: server-ops-infra → mburns
Assignee: mburns → server-ops-infra
Flags: sec-bounty?
Assignee: server-ops-infra → mburns
:solarce and :ericz are looking into this.
Severity: critical → major
Assignee: mburns → server-ops-infra
(Assignee)

Comment 4

5 years ago
(In reply to Andrew S. Edwards from comment #0)
> User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like
> Gecko) Chrome/24.0.1312.57 Safari/537.17
> 
> Steps to reproduce:
> 
> Scanned and found multiple vulnerabilities:
> getfirefox.com server 64.13.141.6 vulnerabilities
> 
> Cross Site Scripting:
> url:
> http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E
> url:
> http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E
> url:
> http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E
> url:
> http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E
> parimeter name: URI-Based
> Parameter Type: FullUrl
> (phishing attacks, man in the middle attacks, and session hijacking)
> 
> PHP Source Code Disclosure:
> url:
> http://64.13.141.6/packages/openssl-1.0.0_5.tbz
> (possibly gives access to databases and admin tools and can increase further
> attacks)
> 
> OpenSSL Version Disclosure:
> Version: 1.0.0d
> (can be used to find version specific vulnerabilities)
> 
> Trace/Track Identified:
> (further increases possibility of an XSS attack)
> 
> Apache Version Disclosure:
> version: 2.2.18
> (can be used to find version specific vulnerabilities)
> 
> Apache Module Version Disclosure:
> version: mod_ssl/2.2.18 OpenSSL/1.0.0d
> (can be used to find version specific vulnerabilities)
> 
> 
> Actual results:
> 
> getfirefox.com server 64.13.141.6 vulnerabilities
> 
> Cross Site Scripting:
> url:
> http://64.13.141.6/vimrc.md5%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x000438)%3C/script%3E
> url:
> http://64.13.141.6/SETUP%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x000416)%3C/script%3E
> url:
> http://64.13.141.6/%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x0003F6)%3C/script%3E
> url:
> http://64.13.141.6/packages/%27%22--%3E%3C/style%3E%3C/
> script%3E%3Cscript%3Ealert(0x000433)%3C/script%3E
> parimeter name: URI-Based
> Parameter Type: FullUrl
> (phishing attacks, man in the middle attacks, and session hijacking)
> 
> PHP Source Code Disclosure:
> url:
> http://64.13.141.6/packages/openssl-1.0.0_5.tbz
> (possibly gives access to databases and admin tools and can increase further
> attacks)
> 
> OpenSSL Version Disclosure:
> Version: 1.0.0d
> (can be used to find version specific vulnerabilities)
> 
> Trace/Track Identified:
> (further increases possibility of an XSS attack)
> 
> Apache Version Disclosure:
> version: 2.2.18
> (can be used to find version specific vulnerabilities)
> 
> Apache Module Version Disclosure:
> version: mod_ssl/2.2.18 OpenSSL/1.0.0d
> (can be used to find version specific vulnerabilities)
> 
> 
> Expected results:
> 
> No cross site scripting, no php source code disclosure, no Trace/Track, no
> Apache or OpenSSL version disclosures.

1. 64.13.141.6 is not a Mozilla IP, so if that is the vulnerable server it's not ours

2. The DNS nameservers are wrong and I am looking into those
Assignee: server-ops-infra → server-ops-webops
Severity: major → normal
Component: Server Operations: Infrastructure → Server Operations: Web Operations
Priority: -- → P2
QA Contact: jdow → nmaul
(Assignee)

Updated

5 years ago
Assignee: server-ops-webops → bburton
(Assignee)

Comment 5

5 years ago
Nameserver update to NS[1-3].MOZILLA.ORG submitted to MarkMonitor, will confirm when live in whois info
Status: NEW → ASSIGNED
(In reply to Brandon Burton [:solarce] from comment #4)
> 1. 64.13.141.6 is not a Mozilla IP, so if that is the vulnerable server it's
> not ours

ns.meer.net is 64.13.141.6

> 2. The DNS nameservers are wrong and I am looking into those

... which is why that IP being vulnerable *does* matter, considering if somebody were to get access to that server (via the vulnerabilities mentioned in comment #0 or other problems), such an attacker could point getfirefox.com to something nefarious (such as a malicious Firefox download).
(Assignee)

Comment 7

5 years ago
Our hosting for getfirefox.org is only a virtual host with a redirect on our static cluster

# Bug 688019
<VirtualHost *:80>
    ServerName getfirefox.org
    ServerAlias www.getfirefox.org
    Redirect / http://www.mozilla.org/firefox/
</VirtualHost>

So I do not believe that this site on Mozilla infra is vulnerable, but that the server at 64.13.141.6 is, which is not owned or controlled by us.

DNS is now correct in whois

bburton@voltaire [06:42:41] [~] 
-> % whois getfirefox.org | grep -A3 'Name Server'
Name Server:NS1.MOZILLA.ORG
Name Server:NS2.MOZILLA.ORG
Name Server:NS3.MOZILLA.ORG
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 8

5 years ago
➜  ~  dig getfirefox.org

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> getfirefox.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7698
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;getfirefox.org.			IN	A

;; ANSWER SECTION:
getfirefox.org.		300	IN	A	63.245.217.181

;; Query time: 135 msec
;; SERVER: 69.64.44.20#53(69.64.44.20)
;; WHEN: Sun Feb  3 03:44:18 2013
;; MSG SIZE  rcvd: 48
(In reply to Brandon Burton [:solarce] from comment #7)
> Our hosting for getfirefox.org is only a virtual host with a redirect on our
> static cluster

getfirefox.com is the problem, not .org... I checked .org already, and it had the correct nameservers.

> So I do not believe that this site on Mozilla infra is vulnerable, but that
> the server at 64.13.141.6 is, which is not owned or controlled by us.

Yes, see again comment #6 as to why this would still be considered a security vulnerability. :)

> DNS is now correct in whois

Again, .com, not .org, but I can confirm that .com now shows the correct nameservers.

$ whois getfirefox.com | grep 'Name Server'
   Name Server: NS1.MOZILLA.ORG
   Name Server: NS2.MOZILLA.ORG
   Name Server: NS3.MOZILLA.ORG

Thanks for the quick response. Opening this bug.
Group: websites-security
(Assignee)

Comment 10

5 years ago
(In reply to Reed Loden [:reed] from comment #9)
> (In reply to Brandon Burton [:solarce] from comment #7)
> > Our hosting for getfirefox.org is only a virtual host with a redirect on our
> > static cluster
> 
> getfirefox.com is the problem, not .org... I checked .org already, and it
> had the correct nameservers.
> 
> > So I do not believe that this site on Mozilla infra is vulnerable, but that
> > the server at 64.13.141.6 is, which is not owned or controlled by us.
> 
> Yes, see again comment #6 as to why this would still be considered a
> security vulnerability. :)
> 
> > DNS is now correct in whois
> 
> Again, .com, not .org, but I can confirm that .com now shows the correct
> nameservers.
> 
> $ whois getfirefox.com | grep 'Name Server'
>    Name Server: NS1.MOZILLA.ORG
>    Name Server: NS2.MOZILLA.ORG
>    Name Server: NS3.MOZILLA.ORG
> 
> Thanks for the quick response. Opening this bug.

I mid-aired on your comment, did not mean not to acknowledge it though, yes I completely understand and agree, have a good night, happy to help
(Assignee)

Comment 11

5 years ago
For completeness, getfirefox.com has a similar setup to getfirefox.org, just redirects in apache

<VirtualHost *:80>
    ServerName getfirefox.com
    ServerAlias www.getfirefox.com mozillafirefox.com www.mozillafirefox.com \
                firefoxbrowser.com www.firefoxbrowser.com firefoxbrowser.org www.firefoxbrowser.org
    Redirect permanent /Firefox_3 http://www.mozilla.org/firefox/
    Redirect permanent /beta http://www.mozilla.org/firefox/channel
    Redirect permanent /nightly http://nightly.mozilla.org
    RedirectMatch permanent .* http://www.mozilla.org/firefox/?from=getfirefox
    ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/getfirefox/error_log_%Y-%m-%d 86400 -480"
    CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/getfirefox/access_%Y-%m-%d 86400 -480" combined
</VirtualHost>
Keywords: sec-moderate
Flags: sec-bounty? → sec-bounty+

Comment 13

5 years ago
The bounty committee has decided pay out on the bug. Although the nameserver and IP are not owned by Mozilla. This bug exposed a misconfiguration on our side which could potentially lead to spoofing of the getfirefox.com site. This would require a compromise of the ns.meer.net server as :reed mentioned.
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.