Closed
Bug 841153
Opened 11 years ago
Closed 11 years ago
Python error output when search term includes %00 in dxr.mozilla.org
Categories
(Webtools Graveyard :: DXR, defect)
Webtools Graveyard
DXR
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: curtisk, Unassigned)
Details
(Whiteboard: [site:dxr.mozilla.org])
Date: Wed, 13 Feb 2013 19:50:35 +0530 Subject: Possible LFI From: Siddhesh Gawde <coolsiddheshgawade@gmail.com> To: security@mozilla.org, siddhesh gawde <coolsidx@gmail.com> -----//----- Hey I have found an error/bug in the site regarding LFI. I am not sure about it so wanted you people to check it. I think it can be exploited,please check it sir. http://dxr.mozilla.org/search.cgi?tree=mozilla-central&string=../../../../../../../../../../../../../../etc/passwd%00 Please let me know about it sir. Thank you . >>>>>>>>>>>>>> Date: Thu, 14 Feb 2013 02:23:22 +0530 Subject: Re: Possible LFI From: Siddhesh Gawde <coolsiddheshgawade@gmail.com> To: security@mozilla.org, siddhesh gawde <coolsidx@gmail.com> -----//----- Sir there is an vulnerability there as i said I have found the log file also http://dxr.mozilla.org/search.cgi?tree=mozilla-central&string=../../../../../../../../../../../../var/log/error.log There is an Local File Disclosure acc to me. It showed this page also http://dxr.mozilla.org/mozilla-central/uriloader/exthandler/unix/nsOSHelperAppService.cpp.html#l526 I am sorry but i dont have much experience in LFD vulns so i am not able to explain it in a better way. I have tried my best, if you need any other info sir pls let me know . Waiting for your reply. Thank you.
Updated•11 years ago
|
Group: websites-security → webtools-security
Component: other.mozilla.org → DXR
Product: Websites → Webtools
Version: unspecified → Trunk
Comment 1•11 years ago
|
||
In reverse order, nsOSHelperAppService.cpp is one of the source files for the Mozilla browser engine. DXR lets developers view and search our source code to help in our collaborative development process. The link containing error.log is not LFI and is not showing the system error log, it has performed a search for those terms throughout our source code. The first issue, the search for ../../../etc/passwd%00, triggered a python error on the site. It's not harmful or exploitable. It's a bug that the error isn't handled more gracefully, but basically it's telling you "invalid input" because of the %00 null character. Without that it simply performs a search like the error.log case. Error message below: --> --> A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred. /var/www/production/html/search.cgi in () 445 print '<div id="content">' 446 kwargs = dict((k,form[k]) for k in optargs if k in form) 447 dispatch(form[param], **kwargs) 448 break 449 else: dispatch = <function processString at 0x14a77230>, form = {'string': '../../../../../../../../../../../../../../etc/passwd\x00', 'tree': 'mozilla-central'}, param = 'string', kwargs = {} /var/www/production/html/search.cgi in processString(string='../../../../../../../../../../../../../../etc/passwd\x00', path=None, ext=None, regexp=None) 175 printHeader = True 176 177 for row in queries.getFileMatches(conn, string): 178 if printHeader: 179 print '<div class=bubble><span class="title">Files</span><ul>' row undefined, global queries = <module 'dxr_server.queries' from '/var/www/production/html/dxr_server/queries.py'>, queries.getFileMatches = <function getFileMatches at 0x14a75aa0>, global conn = <pysqlite2.dbapi2.Connection object at 0x14a1d2e8>, string = '../../../../../../../../../../../../../../etc/passwd\x00' /var/www/production/html/dxr_server/queries.py in getFileMatches(conn=<pysqlite2.dbapi2.Connection object at 0x14a1d2e8>, match_string='../../../../../../../../../../../../../../etc/passwd\x00') 7 match_string = re.sub('["\']', '', match_string) 8 for row in conn.execute('SELECT (SELECT path from files where ID = fts.rowid), fts.basename ' + 9 'FROM fts where fts.basename MATCH ?', ('"%s"' % match_string,)).fetchall(): 10 yield row 11 match_string = '../../../../../../../../../../../../../../etc/passwd\x00', ).fetchall undefined <class 'pysqlite2.dbapi2.OperationalError'>: malformed MATCH expression: ["../../../../../../../../../../../../../../etc/passwd] args = ('malformed MATCH expression: ["../../../../../../../../../../../../../../etc/passwd]',) message = 'malformed MATCH expression: ["../../../../../../../../../../../../../../etc/passwd]'
Group: webtools-security
Summary: Local File Inclusion (LFI) in dxr.mozilla.org → Python error output when search term includes %00 in dxr.mozilla.org
Comment 2•11 years ago
|
||
Trying the %00 testcase on dxr.allizom.org fails to reproduce the error; the current content on dxr.allizom.org will be replaced with dxr.mozilla.org "shortly", so there's no point fixing it.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Updated•3 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•