Closed
Bug 849480
Opened 11 years ago
Closed 11 years ago
Open redirect vulnerability in support.mozilla.org login page
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: satishb3, Assigned: jsocol)
Details
(Whiteboard: [site:support.mozilla.org])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.155 Safari/537.22 Steps to reproduce: 'next' parameter in the support.mozilla.org login page is vulnerable to open redirect vulnerability. This would allow an attacker to redirect the user to a malicious site without realizing it. Steps to reproduce: 1. Go to URL - https://support.mozilla.org/en-US/users/auth?next=//www.google.com 2. Enter the credentials to login. 3. After login, notice that it redirects the user to a third party website. In this case I have redirected to google.com. Actual results: 'next' parameter is not validating the user input properly. Expected results: 'next' parameter shouldn't accept direct URLs.
assigning to rforbes for verification
Assignee: nobody → rforbes
Whiteboard: [verif?]
|
||
Updated•11 years ago
|
Whiteboard: [verif?]
|
|
||
Updated•11 years ago
|
Assignee: rforbes → nobody
|
Assignee | |
Comment 3•11 years ago
|
||
Sorry, I didn't CC the right people on this. I believe this line is the issue: https://github.com/mozilla/kitsune/blob/master/apps/sumo/utils.py#L124 Protocol-relative URLs fail the "if parsed_url.scheme" test. Replacing this block with "if not is_safe_url(url): url = None" should work, unless there are reasons to ever accept URLs with hostnames. The login/logout URL check may or may not be worth keeping (does it even work right now with localized URLs?). See also bug 847190 in MDN.
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → james
|
|
Assignee | |
Comment 4•11 years ago
|
||
In a pull request: https://github.com/mozilla/kitsune/pull/1237 Nice to be able to hand most of the real work off to a Django utility.
|
||
Comment 5•11 years ago
|
||
Landed in master in https://github.com/mozilla/kitsune/commit/6fd4384f4551c292c973a144b01231d6119fd7ea
|
|
||
Comment 6•11 years ago
|
||
Deployed to production just now.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Whiteboard: [site:support.mozilla.org]
|
|
||
Comment 7•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•