If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Python error output when search term includes %00 in dxr.mozilla.org

RESOLVED WONTFIX

Status

Webtools
DXR
RESOLVED WONTFIX
5 years ago
5 years ago

People

(Reporter: curtisk, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [site:dxr.mozilla.org])

Date: Wed, 13 Feb 2013 19:50:35 +0530
Subject: Possible LFI
From: Siddhesh Gawde <coolsiddheshgawade@gmail.com>
To: security@mozilla.org, siddhesh gawde <coolsidx@gmail.com>
-----//-----
Hey I have found an error/bug in the site regarding LFI.
I am not sure about it so wanted you people to check it.
I think it can be exploited,please check it sir.

http://dxr.mozilla.org/search.cgi?tree=mozilla-central&string=../../../../../../../../../../../../../../etc/passwd%00


Please let me know about it sir.
Thank you .

>>>>>>>>>>>>>>
Date: Thu, 14 Feb 2013 02:23:22 +0530
Subject: Re: Possible LFI
From: Siddhesh Gawde <coolsiddheshgawade@gmail.com>
To: security@mozilla.org, siddhesh gawde <coolsidx@gmail.com>
-----//-----
Sir there is an vulnerability there as i said
I have found the log file also

http://dxr.mozilla.org/search.cgi?tree=mozilla-central&string=../../../../../../../../../../../../var/log/error.log

There is an Local File Disclosure acc to me.
It showed this page also

http://dxr.mozilla.org/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp.html#l526

I am sorry but i dont have much experience in LFD vulns so i am not able to explain it in a better way.
I have tried my best, if you need any other info sir pls let me know .

Waiting for your reply.
Thank you.
Group: websites-security → webtools-security
Component: other.mozilla.org → DXR
Product: Websites → Webtools
Version: unspecified → Trunk
In reverse order, nsOSHelperAppService.cpp is one of the source files for the Mozilla browser engine. DXR lets developers view and search our source code to help in our collaborative development process.

The link containing error.log is not LFI and is not showing the system error log, it has performed a search for those terms throughout our source code.

The first issue, the search for ../../../etc/passwd%00, triggered a python error on the site. It's not harmful or exploitable. It's a bug that the error isn't handled more gracefully, but basically it's telling you "invalid input" because of the %00 null character. Without that it simply performs a search like the error.log case.

Error message below:

--> -->

A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred.
 /var/www/production/html/search.cgi in ()
  445       print '<div id="content">'
  446     kwargs = dict((k,form[k]) for k in optargs if k in form)
  447     dispatch(form[param], **kwargs)
  448     break
  449 else:
dispatch = <function processString at 0x14a77230>, form = {'string': '../../../../../../../../../../../../../../etc/passwd\x00', 'tree': 'mozilla-central'}, param = 'string', kwargs = {}
 /var/www/production/html/search.cgi in processString(string='../../../../../../../../../../../../../../etc/passwd\x00', path=None, ext=None, regexp=None)
  175   printHeader = True
  176 
  177   for row in queries.getFileMatches(conn, string):
  178     if printHeader:
  179       print '<div class=bubble><span class="title">Files</span><ul>'
row undefined, global queries = <module 'dxr_server.queries' from '/var/www/production/html/dxr_server/queries.py'>, queries.getFileMatches = <function getFileMatches at 0x14a75aa0>, global conn = <pysqlite2.dbapi2.Connection object at 0x14a1d2e8>, string = '../../../../../../../../../../../../../../etc/passwd\x00'
 /var/www/production/html/dxr_server/queries.py in getFileMatches(conn=<pysqlite2.dbapi2.Connection object at 0x14a1d2e8>, match_string='../../../../../../../../../../../../../../etc/passwd\x00')
    7   match_string = re.sub('["\']', '', match_string)
    8   for row in conn.execute('SELECT (SELECT path from files where ID = fts.rowid), fts.basename ' +
    9                           'FROM fts where fts.basename MATCH ?', ('"%s"' % match_string,)).fetchall():
   10     yield row
   11 
match_string = '../../../../../../../../../../../../../../etc/passwd\x00', ).fetchall undefined

<class 'pysqlite2.dbapi2.OperationalError'>: malformed MATCH expression: ["../../../../../../../../../../../../../../etc/passwd]
      args = ('malformed MATCH expression: ["../../../../../../../../../../../../../../etc/passwd]',)
      message = 'malformed MATCH expression: ["../../../../../../../../../../../../../../etc/passwd]'
Group: webtools-security
Summary: Local File Inclusion (LFI) in dxr.mozilla.org → Python error output when search term includes %00 in dxr.mozilla.org
Trying the %00 testcase on dxr.allizom.org fails to reproduce the error; the current content on dxr.allizom.org will be replaced with dxr.mozilla.org "shortly", so there's no point fixing it.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.