Last Comment Bug 850546 - [SECURITY] URL manipulation/spoofing attacks or spoofing issue in 404 page.
: [SECURITY] URL manipulation/spoofing attacks or spoofing issue in 404 page.
Status: VERIFIED FIXED
spoof message, URL manipulation
: sec-low, wsec-other
Product: bugzilla.mozilla.org
Classification: Other
Component: Administration (show other bugs)
: Production
: All All
: -- minor (vote)
: ---
Assigned To: Byron Jones ‹:glob› [PTO until 2016-10-10]
:
Mentors:
Depends on:
Blocks: 835424
  Show dependency treegraph
 
Reported: 2013-03-12 22:56 PDT by w4rri0rgr0up
Modified: 2014-07-01 16:57 PDT (History)
9 users (show)
abillings: sec‑bounty-
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Injection - Parameter Tampering.jpg (79.16 KB, image/jpeg)
2013-03-12 22:56 PDT, w4rri0rgr0up
no flags Details

Description w4rri0rgr0up 2013-03-12 22:56:43 PDT
Created attachment 724290 [details]
Injection - Parameter Tampering.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Build ID: 20110928134238

Steps to reproduce:

Hi Team, 

I \/ w4rri0r \/ have found Injection Attack - HTTP Parameter Tampering Vulnerability in one of the mozilla.org sub-domain i.e bugzilla.mozilla.org


Vulnerability Description - 
The Web / HTTP Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.


The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks.

For more information - https://www.owasp.org/index.php/Web_Parameter_Tampering

PoC URL - 

https://bugzilla.mozilla.org/bugzilla.mozilla.org%20having%20some%20technical%20issues%20with%20server.%20please%20go%20to%20www.anymaliciousiste.com%20i.e%20bugzilla%20backup%20website.%20Thank%20you%20for%20your%20patience!%20%20It?lang=fr&userid=3&password=ih&rows=20&cols=70


Actual results:

From the above PoC URL, Malicious user modifying elements in the URL sent to a Web site in order to obtain unauthorized information. By modifying the arguments (parameters) in the query, the malicious user can navigate the trusted users and retrieve and/or modify its contents. [Enclosed Screen Shot].


Expected results:

Prevent to parameters / arguments with on the URL. 
Proper error and customized 404 error page page should be come.
Comment 1 Byron Jones ‹:glob› [PTO until 2016-10-10] 2013-03-12 23:09:56 PDT
the fix for this would be for bugzilla to include a custom 404 (and 500?) which doesn't echo the url.
Comment 2 w4rri0rgr0up 2013-03-12 23:17:23 PDT
(In reply to Byron Jones ‹:glob› from comment #1)
> the fix for this would be for bugzilla to include a custom 404 (and 500?)
> which doesn't echo the url.

Yup :-) Byron. To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
Comment 3 Daniel Veditz [:dveditz] 2013-03-12 23:20:38 PDT
confirming that you can turn the 404 page into a spoofing message, but it's not all that convincing without an active link to anymalicioussite.com

I don't really see how this is "HTTP Parameter Tampering Vulnerability", it's just a bad 404 message. Somewhat risky to embed web-supplied text in a sentence, it's also hard for localizers. Better to have clear separation between the URL you can't find and the text saying you can't find it. Would also help in this particular case if bugzilla %-encoded whitespace in urls. The url would not be at all spoofy if presented as it is in comment 0.

HTTP Parameter Tampering Vulnerability would be if a form presents a few selectable values, but the server accepts the POSTed data without validating that it's one of the choices. For example a purchase page that submits the price based on the quantity times the list price, with the server doing no validation that it's the correct price for that item letting users buy things for one cent if they can tamper with their forms. That's not what's happening here.
Comment 4 w4rri0rgr0up 2013-03-12 23:42:18 PDT
Yes Daniel, I agree this is low severity bug and confirm presence of the deficiency. 

"Parameter Tampering" - ...tampering URL string...as well.

If any Mozilla trusted user see this type of message than sure [not all users as tech-savvy] user read message and navigate the anymalicioussite.com. 

As we know, To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
Comment 5 Frédéric Buclin 2013-03-13 05:34:47 PDT
This is a "bug" in Apache rather than in Bugzilla itself. That's how Apache displays error messages when there is no custom error page.
Comment 6 Frédéric Buclin 2013-03-13 06:51:23 PDT
I don't want a customized 404 error page upstream, because it may override existing customized ones. glob told me that he will write a custom one for bmo, so moving this bug there.
Comment 7 Byron Jones ‹:glob› [PTO until 2016-10-10] 2013-03-13 07:51:08 PDT
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified .htaccess
added errors
added errors/401.html
added errors/403.html
added errors/404.html
added errors/500.html
added images/buggie.png
Committed revision 8658.
Comment 8 Gervase Markham [:gerv] 2013-03-13 12:53:57 PDT
Is this worth reporting upstream at Apache?

Gerv
Comment 9 w4rri0rgr0up 2013-03-13 22:39:50 PDT
Gerv, I think YES! It's advisable to Apache.
Comment 10 w4rri0rgr0up 2013-03-14 10:23:11 PDT
URL manipulation/spoofing attacks bug is fixed and verified.
Comment 11 mail 2013-03-14 15:42:48 PDT
bugzilla.redhat.com has also been patched with the same code.
Comment 12 Al Billings [:abillings] 2013-03-18 15:07:46 PDT
Bounty triage committee has determined that this does not meet bug bounty criteria because it is rated sec-low.

Note You need to log in before you can comment on or make changes to this bug.