Closed
Bug 849480
Opened 13 years ago
Closed 13 years ago
Open redirect vulnerability in support.mozilla.org login page
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: satishb3, Assigned: jsocol)
Details
(Whiteboard: [site:support.mozilla.org])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.155 Safari/537.22
Steps to reproduce:
'next' parameter in the support.mozilla.org login page is vulnerable to open redirect vulnerability. This would allow an attacker to redirect the user to a malicious site without realizing it.
Steps to reproduce:
1. Go to URL - https://support.mozilla.org/en-US/users/auth?next=//www.google.com
2. Enter the credentials to login.
3. After login, notice that it redirects the user to a third party website.
In this case I have redirected to google.com.
Actual results:
'next' parameter is not validating the user input properly.
Expected results:
'next' parameter shouldn't accept direct URLs.
assigning to rforbes for verification
Assignee: nobody → rforbes
Whiteboard: [verif?]
|
||
Updated•13 years ago
|
Whiteboard: [verif?]
|
|
||
Updated•13 years ago
|
Assignee: rforbes → nobody
|
|
Assignee | |
Comment 3•13 years ago
|
||
Sorry, I didn't CC the right people on this.
I believe this line is the issue:
https://github.com/mozilla/kitsune/blob/master/apps/sumo/utils.py#L124
Protocol-relative URLs fail the "if parsed_url.scheme" test. Replacing this block with "if not is_safe_url(url): url = None" should work, unless there are reasons to ever accept URLs with hostnames.
The login/logout URL check may or may not be worth keeping (does it even work right now with localized URLs?).
See also bug 847190 in MDN.
|
|
Assignee | |
Updated•13 years ago
|
Assignee: nobody → james
|
|
Assignee | |
Comment 4•13 years ago
|
||
In a pull request: https://github.com/mozilla/kitsune/pull/1237
Nice to be able to hand most of the real work off to a Django utility.
|
||
Comment 5•13 years ago
|
||
|
|
||
Comment 6•13 years ago
|
||
Deployed to production just now.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
Whiteboard: [site:support.mozilla.org]
|
|
||
Comment 7•10 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•