If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Open redirect vulnerability in support.mozilla.org login page

RESOLVED FIXED

Status

support.mozilla.org
General
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: satishb3, Assigned: jsocol)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [site:support.mozilla.org])

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.155 Safari/537.22

Steps to reproduce:

'next' parameter in the support.mozilla.org login page is vulnerable to open redirect vulnerability. This would allow an attacker to redirect the user to a malicious site without realizing it.

Steps to reproduce:
1. Go to URL - https://support.mozilla.org/en-US/users/auth?next=//www.google.com
2. Enter the credentials to login. 
3. After login, notice that it redirects the user to a third party website. 
In this case I have redirected to google.com. 



Actual results:

'next' parameter is not validating the user input properly.


Expected results:

'next' parameter shouldn't accept direct URLs.
assigning to rforbes for verification
Assignee: nobody → rforbes
Whiteboard: [verif?]
confirmed, this works.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [verif?]
Assignee: rforbes → nobody
(Assignee)

Comment 3

5 years ago
Sorry, I didn't CC the right people on this.

I believe this line is the issue:

https://github.com/mozilla/kitsune/blob/master/apps/sumo/utils.py#L124

Protocol-relative URLs fail the "if parsed_url.scheme" test. Replacing this block with "if not is_safe_url(url): url = None" should work, unless there are reasons to ever accept URLs with hostnames.

The login/logout URL check may or may not be worth keeping (does it even work right now with localized URLs?).

See also bug 847190 in MDN.
(Assignee)

Updated

5 years ago
Assignee: nobody → james
(Assignee)

Comment 4

5 years ago
In a pull request: https://github.com/mozilla/kitsune/pull/1237

Nice to be able to hand most of the real work off to a Django utility.
Landed in master in https://github.com/mozilla/kitsune/commit/6fd4384f4551c292c973a144b01231d6119fd7ea
Deployed to production just now.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: [site:support.mozilla.org]
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.