Open Bug 1120074 Opened 9 years ago Updated 9 years ago

Bugzilla doesn't prevent local links to be used to log in

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: netfuzzerr, Unassigned)

Details

Attachments

(1 file)

bugzilla-poc.html
233 bytes, text/html
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2267.0 Safari/537.36

Steps to reproduce:

Hi,

Csrf in login still possible if a user clicks on a link which is hosted in bugzilla mains domain then while doing the login the page will check the 'referer' header.

Reproduce:
1. go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=24457 while YOU ARE NOT LOGGED IN LANDFILL
2. after that, click in the link on the bug's title.
3. noticed that you're now logged in landfill.

Cheers,
This is not a cross-site vulnerability as the link you click must belong to the same domain as Bugzilla itself. This isn't a security bug either as we explicitly whitelist local URLs:

  # Else falls back to the Referer header and accept local URLs.
Assignee: general → user-accounts
Group: bugzilla-security
Severity: normal → minor
Component: Bugzilla-General → User Accounts
Summary: csrf login still possible if clicked from a bug → Bugzilla doesn't prevent local links to be used to log in
Updates?
(In reply to Mario Gomes from comment #2)
> Updates?

Updates on what exactly? Do you have a specific question? Generally speaking: Nothing has happened here yet, otherwise it would be written in this task. :)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: