Closed Bug 1753838 (CVE-2022-0637) Opened 2 years ago Closed 2 years ago

Open redirect Vulnerability on pollbot.services.mozilla.com & pollbot.stage.mozaws.net leads to trick users.

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Platform:
Other
Other
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sampritdas0, Assigned: gbrown)

References

Details

(Keywords: sec-moderate, wsec-redirect)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36

Steps to reproduce:

Severity:- Medium (Score:- 5)

Vulnerable URL:- https://pollbot.services.mozilla.com

Description:-

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain

Step to reproduce:-

  1. Open https://pollbot.services.mozilla.com/v1/ on any browser

  2. Then replace /v1/ with /%0a/evil.com/projectX.htm/

  3. So now the final URL will be https://pollbot.services.mozilla.com/%0a/evil.com/projectX.htm/ send it to any victim when he clicks on it it will redirect to www.evil.com/projectX.htm

Impact:-

Url Redirection or Unvalidated Open Redirects are usually used with phishing attacks or in malware delivery, it may confuse the end-user on which site they are visiting.

  1. Attackers could redirect victims to vulgar sites such as Porn sites which can degrade the reputation of your site, as the redirection happened from your domain.

  2. Attackers could deliver malware or phishing pages in the name of your website & hence cab steal user credentials.

As front part, if the URL is legitimate, an attacker can easily convince users to click on maliciously crafted link, and hence could easily target users of pollbot.services.mozilla.com

Actual results:

Application is not validating domains after /%0a/and its leads to open redirect.

Impact:-

Url Redirection or Unvalidated Open Redirects are usually used with phishing attacks or in malware delivery, it may confuse the end user on which site they are visiting .

  1. Attackers could redirect victims to vulgar sites such a Porn sites which can degrade the reputation of your site, as the redirection happened from your domain.

  2. Attackers could deliver malware or phishing pages in the name of your website & hence cab steal user credentials.

As front part if the url is legitimate, attacker can easily convince users to click on malicious crafted link, and hence could easily target users of pollbot.services.mozilla.com

Video is POC attached below

Reference:-

https://hackerone.com/reports/753399
https://hackerone.com/reports/692154
https://hackerone.com/reports/504751

Mitigation:-

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Expected results:

The application should not redirect the user to the malicious domain

Group: cloud-services-security → releng-security
Product: Location → Release Engineering
QA Contact: aki
Summary: Open redirect Vulnerability on asus.com leads to trick users. → Open redirect Vulnerability on pollbot.services.mozilla.com leads to trick users.

This bug should be enough to route to the people who can triage and fix the issue. If you are asking about the bug bounty program, please review https://www.mozilla.org/en-US/security/, and perhaps email this bug reference to security@mozilla.org.

Flags: needinfo?(sampritdas0)

(In reply to John Whitlock [:jwhitlock] from comment #4)

This bug should be enough to route to the people who can triage and fix the issue. If you are asking about the bug bounty program, please review https://www.mozilla.org/en-US/security/, and perhaps email this bug reference to security@mozilla.org.

Yes, I was asking about the bug bounty program Will I make a new report, or will share the report id with them?

Regards,
Samprit Das

Flags: needinfo?(sampritdas0)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty?
Keywords: wsec-redirect

Hello Samprit,

Thank you for your report.

I have added the necessary flag to consider this bug in our web bug bounty program, for future reference, please use the bug bounty form when opening bugs: https://bugzilla.mozilla.org/form.web.bounty

I was able to reproduce the issue using https://pollbot.services.mozilla.com/%0A/duckduckgo.com/, note the URL needs to end in / for the redirection to work.

Thanks,
Frida

Hello :aki:,

Can you please confirm whether this service is still in use and where so we can assess the impact?

Thanks,
Frida

Flags: needinfo?(aki)

(In reply to Frida Kiriakos [:frida] from comment #6)

Hello Samprit,

Thank you for your report.

I have added the necessary flag to consider this bug in our web bug bounty program, for future reference, please use the bug bounty form when opening bugs: https://bugzilla.mozilla.org/form.web.bounty

I was able to reproduce the issue using https://pollbot.services.mozilla.com/%0A/duckduckgo.com/, note the URL needs to end in / for the redirection to work.

Thanks,
Frida

Hello Frida,

Thanks for the information I will do that next time and Frida I have got the same vulnerability in another domain just simply open https://pollbot.stage.mozaws.net/%0A/duckduckgo.com/ you will see you will get redirected to duckduckgo.com.

Regards,
Samprit Das

Flags: needinfo?(sampritdas0)

pollbot is used by https://github.com/mozilla/delivery-dashboard/, which in turn is used by Release Management. I don't know if there are other clients.

Assignee: nobody → gbrown
Flags: needinfo?(aki)

Fixed in pollbot 1.4.6, now deployed to both https://pollbot.stage.mozaws.net and https://pollbot.services.mozilla.com.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Hello Team,

As the vulnerability is fixed and here in https://nvd.nist.gov/vuln/detail/CVE-2021-21354 I can see pollbot allows to register CVE for fixed vulnerabilities based on its version so can you register a CVE with my name for this fix vulnerability?

And also team can you please tell me will this report will get eligible for a reward?

Regards,
Samprit Das

Flags: needinfo?(sampritdas0)

Hello Samprit,

We will get back to you regarding registering a CVE.

Regarding the bounty, we meet on a weekly basis to discuss bounty awards so hopefully we will get back to you by next week.

Thanks,
Frida

Hi Sampras: we will be adding you to our Hall of Fame and assigning a CVE for this bug (like bug 1694684). It is not eligible for a cash bounty, however.

Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
See Also: → CVE-2021-21354

(In reply to Daniel Veditz [:dveditz] from comment #14)

Hi Sampras: we will be adding you to our Hall of Fame and assigning a CVE for this bug (like bug 1694684). It is not eligible for a cash bounty, however.

Hello Daniel Veditz,

Thanks for the information please add my name as Samprit Das with my LinkedIn profile:- https://www.linkedin.com/in/samprit-das-9805831a2 for the Hall of fame as well as for the CVE.

Regards,
Samprit Das

Flags: needinfo?(sampritdas0)

CVE assigned; dropping you a ni to capture this for MITRE

Alias: CVE-2022-0637
Flags: needinfo?(dveditz)

Geoff: we need someone to create a GitHub advisory for this issue like https://github.com/mozilla/PollBot/security/advisories/GHSA-jhgx-wmq8-jc24, except reference this bug and CVE-2022-0637. Can you do that and post the link back here, or find someone who can? Looks like the previous one was created by bhearsum

Flags: needinfo?(gbrown)

(In reply to Geoff Brown [:gbrown] from comment #21)

https://github.com/mozilla/PollBot/security/advisories/GHSA-vg27-hr3v-3cqv

Hello Geoff Brown,

If possible can you please mention me on advisory like this one https://github.com/keystonejs/keystone/security/advisories/GHSA-hrgx-7j6v-xj82
and here is my GitHub and Linkedin username:-

https://github.com/sampritdas8
https://www.linkedin.com/in/samprit-das-9805831a2/

Thank you,
Samprit Das

Flags: needinfo?(sampritdas0) → needinfo?(gbrown)

Advisory updated with thanks. Thanks again.

Flags: needinfo?(gbrown)

(In reply to Geoff Brown [:gbrown] from comment #23)

Advisory updated with thanks. Thanks again.

Hello Geoff Brown,

Still, my name is not showing on the Advisory can you please confirm it from your side?

Regards,
Samprit Das

Flags: needinfo?(gbrown)
Group: releng-security

It's in the comment, near the bottom of the page: "Thanks to Samprit Das (@sampritdas8) for discovering and reporting this vulnerability."

Flags: needinfo?(gbrown)

(In reply to Geoff Brown [:gbrown] from comment #25)

It's in the comment, near the bottom of the page: "Thanks to Samprit Das (@sampritdas8) for discovering and reporting this vulnerability."

Hello Geoff Brown,

Actually the advisory comment: https://github.com/mozilla/PollBot/security/advisories/GHSA-vg27-hr3v-3cqv#advisory-comment-70908
is not showing publicly so I am not able to see it but got a mail from github that you have mention if it is possible can you public the comment.

Thanks,
Samprit Das

Flags: needinfo?(gbrown)

I couldn't find a way to make the comment public, but I noticed "Credits" and added you there. Sorry, this is my first github security advisory; hopefully this does it!

Flags: needinfo?(gbrown)

(In reply to Geoff Brown [:gbrown] from comment #27)

I couldn't find a way to make the comment public, but I noticed "Credits" and added you there. Sorry, this is my first github security advisory; hopefully this does it!

No problem and thanks I have accepted the "Credits" now my name is visible.

Flags: needinfo?(gbrown)

Hello Daniel Veditz,

Can you please tell me when Description and References is going to add on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0637.

Regards,
Samprit Das

Flags: needinfo?(gbrown)
Summary: Open redirect Vulnerability on pollbot.services.mozilla.com leads to trick users. → Open redirect Vulnerability on pollbot.services.mozilla.com & pollbot.stage.mozaws.net leads to trick users.
Severity: -- → S1
tracking-firefox98: --- → ?
tracking-firefox99: --- → ?
Priority: -- → P1
Severity: S1 → S2
tracking-firefox98: ? → ---
tracking-firefox99: ? → ---
Priority: P1 → --
Priority: -- → P2
OS: Unspecified → Other
Hardware: Unspecified → Other

Hello Tom,

It's been more than 2 months since CVE is assigned to my report and also fix has been deployed but the Description and References have not been updated in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0637 can you please tell me the estimated date for the update of Description and References?

Regards,
Samprit Das

Flags: needinfo?(tom)
Flags: needinfo?(tom)
Flags: needinfo?(dveditz)
Severity: S2 → --
Flags: needinfo?(dveditz)
Priority: P2 → --

Hello Daniel,

It's is going to be 3months since CVE is assigned to my report and also fix has been deployed but the Description and References have not been updated in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0637 can you please tell me the estimated date for the update of Description and References?

Regards,
Samprit Das

And what about the hall of fame?

Keywords: sec-moderate

(In reply to Samprit Das from comment #33)

And what about the hall of fame?

You are listed in the first quarter of 2022: https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/#year-2022

The CVE information has been submitted, but the cve group is changing their format and I don't know yet if it's accepted

Flags: needinfo?(dveditz)

CVE-2022-0637 is published

You need to log in before you can comment on or make changes to this bug.