[SECURITY] URL manipulation/spoofing attacks or spoofing issue in 404 page.

VERIFIED FIXED

Status

()

bugzilla.mozilla.org
Administration
--
minor
VERIFIED FIXED
5 years ago
3 years ago

People

(Reporter: w4rri0rgr0up, Assigned: glob)

Tracking

(Blocks: 1 bug, {sec-low, wsec-other})

Production
sec-low, wsec-other
Bug Flags:
sec-bounty -

Details

(Whiteboard: spoof message, URL manipulation)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 724290 [details]
Injection - Parameter Tampering.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Build ID: 20110928134238

Steps to reproduce:

Hi Team, 

I \/ w4rri0r \/ have found Injection Attack - HTTP Parameter Tampering Vulnerability in one of the mozilla.org sub-domain i.e bugzilla.mozilla.org


Vulnerability Description - 
The Web / HTTP Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.


The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks.

For more information - https://www.owasp.org/index.php/Web_Parameter_Tampering

PoC URL - 

https://bugzilla.mozilla.org/bugzilla.mozilla.org%20having%20some%20technical%20issues%20with%20server.%20please%20go%20to%20www.anymaliciousiste.com%20i.e%20bugzilla%20backup%20website.%20Thank%20you%20for%20your%20patience!%20%20It?lang=fr&userid=3&password=ih&rows=20&cols=70


Actual results:

From the above PoC URL, Malicious user modifying elements in the URL sent to a Web site in order to obtain unauthorized information. By modifying the arguments (parameters) in the query, the malicious user can navigate the trusted users and retrieve and/or modify its contents. [Enclosed Screen Shot].


Expected results:

Prevent to parameters / arguments with on the URL. 
Proper error and customized 404 error page page should be come.
(Assignee)

Comment 1

5 years ago
the fix for this would be for bugzilla to include a custom 404 (and 500?) which doesn't echo the url.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 2

5 years ago
(In reply to Byron Jones ‹:glob› from comment #1)
> the fix for this would be for bugzilla to include a custom 404 (and 500?)
> which doesn't echo the url.

Yup :-) Byron. To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
confirming that you can turn the 404 page into a spoofing message, but it's not all that convincing without an active link to anymalicioussite.com

I don't really see how this is "HTTP Parameter Tampering Vulnerability", it's just a bad 404 message. Somewhat risky to embed web-supplied text in a sentence, it's also hard for localizers. Better to have clear separation between the URL you can't find and the text saying you can't find it. Would also help in this particular case if bugzilla %-encoded whitespace in urls. The url would not be at all spoofy if presented as it is in comment 0.

HTTP Parameter Tampering Vulnerability would be if a form presents a few selectable values, but the server accepts the POSTed data without validating that it's one of the choices. For example a purchase page that submits the price based on the quantity times the list price, with the server doing no validation that it's the correct price for that item letting users buy things for one cent if they can tamper with their forms. That's not what's happening here.
Flags: sec-bounty?
Keywords: sec-low, wsec-other
Summary: [SECURITY] Injection - HTTP Parameter Tampering Vulnerability -bugzilla.mozilla.org → [SECURITY] Minor spoofing issue in 404 page.
Whiteboard: spoof message
(Reporter)

Comment 4

5 years ago
Yes Daniel, I agree this is low severity bug and confirm presence of the deficiency. 

"Parameter Tampering" - ...tampering URL string...as well.

If any Mozilla trusted user see this type of message than sure [not all users as tech-savvy] user read message and navigate the anymalicioussite.com. 

As we know, To prevent this type of attack, should be to display custom 404 page or 500 server error page as well.
(Reporter)

Updated

5 years ago
Summary: [SECURITY] Minor spoofing issue in 404 page. → [SECURITY] URL manipulation/spoofing attacks or spoofing issue in 404 page.
Whiteboard: spoof message → spoof message, URL manipulation

Comment 5

5 years ago
This is a "bug" in Apache rather than in Bugzilla itself. That's how Apache displays error messages when there is no custom error page.
Severity: normal → minor

Comment 6

5 years ago
I don't want a customized 404 error page upstream, because it may override existing customized ones. glob told me that he will write a custom one for bmo, so moving this bug there.
Assignee: general → nobody
Component: Bugzilla-General → Administration
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
(Assignee)

Updated

5 years ago
Assignee: nobody → glob

Updated

5 years ago
Blocks: 835424
(Assignee)

Comment 7

5 years ago
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified .htaccess
added errors
added errors/401.html
added errors/403.html
added errors/404.html
added errors/500.html
added images/buggie.png
Committed revision 8658.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Is this worth reporting upstream at Apache?

Gerv
(Reporter)

Comment 9

5 years ago
Gerv, I think YES! It's advisable to Apache.
(Assignee)

Updated

5 years ago
Group: bugzilla-security
(Reporter)

Comment 10

5 years ago
URL manipulation/spoofing attacks bug is fixed and verified.
Status: RESOLVED → VERIFIED

Comment 11

5 years ago
bugzilla.redhat.com has also been patched with the same code.
Bounty triage committee has determined that this does not meet bug bounty criteria because it is rated sec-low.
Flags: sec-bounty? → sec-bounty-

Updated

3 years ago
See Also: → bug 1033068
You need to log in before you can comment on or make changes to this bug.