Note: There are a few cases of duplicates in user autocompletion which are being worked on.
Last Comment Bug 1120074 - Bugzilla doesn't prevent local links to be used to log in
: Bugzilla doesn't prevent local links to be used to log in
Status: UNCONFIRMED
:
Product: Bugzilla
Classification: Server Software
Component: User Accounts (show other bugs)
: 5.1
: All All
-- minor (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: default-qa
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-10 03:52 PST by Mario Gomes"''><IMG SRC=xx:x onerror=prompt();>
Modified: 2015-08-20 07:12 PDT (History)
0 users
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
bugzilla-poc.html (233 bytes, text/html)
2015-08-20 07:12 PDT, Mario Gomes"''><IMG SRC=xx:x onerror=prompt();>
no flags Details

Description User image Mario Gomes"''><IMG SRC=xx:x onerror=prompt();> 2015-01-10 03:52:47 PST
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2267.0 Safari/537.36

Steps to reproduce:

Hi,

Csrf in login still possible if a user clicks on a link which is hosted in bugzilla mains domain then while doing the login the page will check the 'referer' header.

Reproduce:
1. go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=24457 while YOU ARE NOT LOGGED IN LANDFILL
2. after that, click in the link on the bug's title.
3. noticed that you're now logged in landfill.

Cheers,
Comment 1 User image Frédéric Buclin 2015-01-10 06:44:12 PST
This is not a cross-site vulnerability as the link you click must belong to the same domain as Bugzilla itself. This isn't a security bug either as we explicitly whitelist local URLs:

  # Else falls back to the Referer header and accept local URLs.
Comment 2 User image Mario Gomes"''><IMG SRC=xx:x onerror=prompt();> 2015-04-23 14:52:28 PDT
Updates?
Comment 3 User image Andre Klapper 2015-04-23 15:22:43 PDT
(In reply to Mario Gomes from comment #2)
> Updates?

Updates on what exactly? Do you have a specific question? Generally speaking: Nothing has happened here yet, otherwise it would be written in this task. :)
Comment 4 User image Mario Gomes"''><IMG SRC=xx:x onerror=prompt();> 2015-08-20 07:12:39 PDT Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.