Created attachment 724290 [details] Injection - Parameter Tampering.jpg User Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Build ID: 20110928134238 Steps to reproduce: Hi Team, I \/ w4rri0r \/ have found Injection Attack - HTTP Parameter Tampering Vulnerability in one of the mozilla.org sub-domain i.e bugzilla.mozilla.org Vulnerability Description - The Web / HTTP Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks. For more information - https://www.owasp.org/index.php/Web_Parameter_Tampering PoC URL - https://bugzilla.mozilla.org/bugzilla.mozilla.org%20having%20some%20technical%20issues%20with%20server.%20please%20go%20to%20www.anymaliciousiste.com%20i.e%20bugzilla%20backup%20website.%20Thank%20you%20for%20your%20patience!%20%20It?lang=fr&userid=3&password=ih&rows=20&cols=70 Actual results: From the above PoC URL, Malicious user modifying elements in the URL sent to a Web site in order to obtain unauthorized information. By modifying the arguments (parameters) in the query, the malicious user can navigate the trusted users and retrieve and/or modify its contents. [Enclosed Screen Shot]. Expected results: Prevent to parameters / arguments with on the URL. Proper error and customized 404 error page page should be come.
the fix for this would be for bugzilla to include a custom 404 (and 500?) which doesn't echo the url.
(In reply to Byron Jones ‹:glob› from comment #1) > the fix for this would be for bugzilla to include a custom 404 (and 500?) > which doesn't echo the url. Yup :-) Byron. To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
confirming that you can turn the 404 page into a spoofing message, but it's not all that convincing without an active link to anymalicioussite.com I don't really see how this is "HTTP Parameter Tampering Vulnerability", it's just a bad 404 message. Somewhat risky to embed web-supplied text in a sentence, it's also hard for localizers. Better to have clear separation between the URL you can't find and the text saying you can't find it. Would also help in this particular case if bugzilla %-encoded whitespace in urls. The url would not be at all spoofy if presented as it is in comment 0. HTTP Parameter Tampering Vulnerability would be if a form presents a few selectable values, but the server accepts the POSTed data without validating that it's one of the choices. For example a purchase page that submits the price based on the quantity times the list price, with the server doing no validation that it's the correct price for that item letting users buy things for one cent if they can tamper with their forms. That's not what's happening here.
Yes Daniel, I agree this is low severity bug and confirm presence of the deficiency. "Parameter Tampering" - ...tampering URL string...as well. If any Mozilla trusted user see this type of message than sure [not all users as tech-savvy] user read message and navigate the anymalicioussite.com. As we know, To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
This is a "bug" in Apache rather than in Bugzilla itself. That's how Apache displays error messages when there is no custom error page.
I don't want a customized 404 error page upstream, because it may override existing customized ones. glob told me that he will write a custom one for bmo, so moving this bug there.
Committing to: bzr+ssh://firstname.lastname@example.org/bmo/4.2/ modified .htaccess added errors added errors/401.html added errors/403.html added errors/404.html added errors/500.html added images/buggie.png Committed revision 8658.
Is this worth reporting upstream at Apache? Gerv
Gerv, I think YES! It's advisable to Apache.
URL manipulation/spoofing attacks bug is fixed and verified.
bugzilla.redhat.com has also been patched with the same code.
Bounty triage committee has determined that this does not meet bug bounty criteria because it is rated sec-low.