Closed Bug 1694684 (CVE-2021-21354) Opened 3 years ago Closed 3 years ago

open redirect in [pollbot.services.mozilla.com]

Categories

(Release Engineering :: General, defect)

defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: sydaslam297, Assigned: bhearsum)

References

()

Details

(Keywords: wsec-redirect, Whiteboard: [reporter-external] [web-bounty-form])

Summary:
There is an open redirection vulnerability in the path of:

https://pollbot.services.mozilla.com/

Description:
An attacker can redirect anyone to malicious sites.

Steps To Reproduce:
Type in this URL:

https://pollbot.services.mozilla.com//evil.com/
As, you can see it redirects to that website when you inject this payload:

//evil.com/
evil.com was used as an example but this could be any website note, the // is the bypass.

Supporting Material/References:
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Impact

Attackers can serve malicious websites that steal passwords or download ransomware to their victims machine due to a redirect and there are a heap of other attack vectors.

Flags: sec-bounty?
Type: task → defect
Keywords: wsec-redirect
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form]

Confirmed the PoC. Thank you for the report.

:bhearsum - Are you the correct person to contact for pollbot issues?

Flags: needinfo?(bhearsum)

(In reply to AJ Bahnken [:ajvb] from comment #1)

Confirmed the PoC. Thank you for the report.

:bhearsum - Are you the correct person to contact for pollbot issues?

Yes

Group: releng-security
Component: Other → General
Flags: needinfo?(bhearsum)
Product: Websites → Release Engineering
QA Contact: mtabara
Depends on: 1695673

Fix is on master, verified on stage. Should be deployed to prod today (see https://bugzilla.mozilla.org/show_bug.cgi?id=1695673)

This is fixed in prod now, thank you very much for reporting it! I ended up opening a Github Security Advisory for it (mostly so I could play around with them). Here's a link to that, for posterity: https://github.com/mozilla/PollBot/security/advisories/GHSA-jhgx-wmq8-jc24

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Thank you for your fast response!

is it eligible for HOF?

(In reply to Eslam Sayed from comment #5)

Thank you for your fast response!

is it eligible for HOF?

Hi Eslam, yes the bounty committee will meet in the next couple weeks to decide on HoF.

Can verify I get a 404 now:

curl -w '\n' -k 'https://pollbot.services.mozilla.com//evil.com'
{"status": 404, "message": "Page '//evil.com' not found"}
Status: RESOLVED → VERIFIED
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-
Group: releng-security, websites-security
See Also: → CVE-2022-0637

(In reply to Daniel Veditz [:dveditz] from comment #8)

This was assigned CVE-2021-21354

Hello Daniel,

Can you add credits to me at github advisory page

Here's my github link account:
https://github.com/eslamXxX156

Thank you

Regards.

Flags: needinfo?(dveditz)

Can you add credits to me at github advisory page

I cannot, but Ben should be able to (see comment 4)

Assignee: nobody → bhearsum
Flags: needinfo?(dveditz) → needinfo?(bhearsum)

(In reply to Daniel Veditz [:dveditz] from comment #10)

Can you add credits to me at github advisory page

I cannot, but Ben should be able to (see comment 4)

I no longer have access to this repo. Geoff should be able to do it.

Flags: needinfo?(bhearsum) → needinfo?(gbrown)

I recently added Credits for a Pollbot security advisory, but I find I cannot update this one: The "Update security advisory" button remains disabled for me even after adding the requested user.

https://docs.github.com/en/code-security/repository-security-advisories/editing-a-repository-security-advisory says "Only the creator of the advisory can credit you, ..."

Flags: needinfo?(gbrown)

(In reply to Geoff Brown [:gbrown] from comment #12)

I recently added Credits for a Pollbot security advisory, but I find I cannot update this one: The "Update security advisory" button remains disabled for me even after adding the requested user.

https://docs.github.com/en/code-security/repository-security-advisories/editing-a-repository-security-advisory says "Only the creator of the advisory can credit you, ..."

I hit this too -- it turns out it wanted one of the other fields to be filled out as well.

The credit should be updated now.

You need to log in before you can comment on or make changes to this bug.