Closed Bug 964099 Opened 11 years ago Closed 11 years ago

Root Access to internal sub domain

Categories

(Websites :: other.mozilla.org, defect)

Product:
Websites
Component:
other.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: abhijeth0423, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external)

Attachments

(1 file)

Test
2.01 KB, image/svg+xml
Details
User Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 Steps to reproduce: Hi team, I was running through your subdomains and was trying to find if you left any internal sub domain for public access which should not have been exposed. As expected I could reach one of your sub domain where in I found few of your developer files and also I had root access to the webpage. Actual results: As a result I could gain root access to https://bzr-zlb.vips.scl3.mozilla.com. I have googled the above domain and realized that it is not publicly exposed and neither it should have been. However I did not download any code or any files( FYR you can trace my ip if required) This is a security bug I would like to report. Expected results: This sub domain should never be exposed to public. It should rather give a 404 error or a message saying we are unauthorized to view.
URL: https://bzr-zlb.vips.scl3.mozilla.com
Keywords: sec-critical, sec-high, sec-moderate
Priority: -- → P1
This is just the vip for https://bzr.mozilla.org/. There's nothing sensitive here. It's all public.
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Component: Your Web → other.mozilla.org
Flags: sec-bounty-
Keywords: sec-critical, sec-high, sec-moderate
Priority: P1 → --
Resolution: --- → INVALID
Thanks for the confirmation.
Attached image Test
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: