Closed Bug 850546 Opened 7 years ago Closed 7 years ago
[SECURITY] URL manipulation/spoofing attacks or spoofing issue in 404 page
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Build ID: 20110928134238 Steps to reproduce: Hi Team, I \/ w4rri0r \/ have found Injection Attack - HTTP Parameter Tampering Vulnerability in one of the mozilla.org sub-domain i.e bugzilla.mozilla.org Vulnerability Description - The Web / HTTP Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks. For more information - https://www.owasp.org/index.php/Web_Parameter_Tampering PoC URL - https://bugzilla.mozilla.org/bugzilla.mozilla.org%20having%20some%20technical%20issues%20with%20server.%20please%20go%20to%20www.anymaliciousiste.com%20i.e%20bugzilla%20backup%20website.%20Thank%20you%20for%20your%20patience!%20%20It?lang=fr&userid=3&password=ih&rows=20&cols=70 Actual results: From the above PoC URL, Malicious user modifying elements in the URL sent to a Web site in order to obtain unauthorized information. By modifying the arguments (parameters) in the query, the malicious user can navigate the trusted users and retrieve and/or modify its contents. [Enclosed Screen Shot]. Expected results: Prevent to parameters / arguments with on the URL. Proper error and customized 404 error page page should be come.
the fix for this would be for bugzilla to include a custom 404 (and 500?) which doesn't echo the url.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Byron Jones ‹:glob› from comment #1) > the fix for this would be for bugzilla to include a custom 404 (and 500?) > which doesn't echo the url. Yup :-) Byron. To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
confirming that you can turn the 404 page into a spoofing message, but it's not all that convincing without an active link to anymalicioussite.com I don't really see how this is "HTTP Parameter Tampering Vulnerability", it's just a bad 404 message. Somewhat risky to embed web-supplied text in a sentence, it's also hard for localizers. Better to have clear separation between the URL you can't find and the text saying you can't find it. Would also help in this particular case if bugzilla %-encoded whitespace in urls. The url would not be at all spoofy if presented as it is in comment 0. HTTP Parameter Tampering Vulnerability would be if a form presents a few selectable values, but the server accepts the POSTed data without validating that it's one of the choices. For example a purchase page that submits the price based on the quantity times the list price, with the server doing no validation that it's the correct price for that item letting users buy things for one cent if they can tamper with their forms. That's not what's happening here.
Yes Daniel, I agree this is low severity bug and confirm presence of the deficiency. "Parameter Tampering" - ...tampering URL string...as well. If any Mozilla trusted user see this type of message than sure [not all users as tech-savvy] user read message and navigate the anymalicioussite.com. As we know, To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
Summary: [SECURITY] Minor spoofing issue in 404 page. → [SECURITY] URL manipulation/spoofing attacks or spoofing issue in 404 page.
Whiteboard: spoof message → spoof message, URL manipulation
This is a "bug" in Apache rather than in Bugzilla itself. That's how Apache displays error messages when there is no custom error page.
Severity: normal → minor
I don't want a customized 404 error page upstream, because it may override existing customized ones. glob told me that he will write a custom one for bmo, so moving this bug there.
Assignee: general → nobody
Component: Bugzilla-General → Administration
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
Committing to: bzr+ssh://email@example.com/bmo/4.2/ modified .htaccess added errors added errors/401.html added errors/403.html added errors/404.html added errors/500.html added images/buggie.png Committed revision 8658.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Is this worth reporting upstream at Apache? Gerv
Gerv, I think YES! It's advisable to Apache.
URL manipulation/spoofing attacks bug is fixed and verified.
Status: RESOLVED → VERIFIED
bugzilla.redhat.com has also been patched with the same code.
Bounty triage committee has determined that this does not meet bug bounty criteria because it is rated sec-low.
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.