301058 - session-id must not be guessable

Status: RESOLVED DUPLICATE of bug 119524

(Bugzilla :: User Accounts, defect)

Description

[Hendrik Brummermann]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)

It is possible to get access to the session of other users because the content
of Bugzilla_logincookie is easily guessable.

On login Bugzilla create a new row in logincookies containing an auto
incremented cookie (number), the userid and ipaddress. The first two parameter
are store in cookies named Bugzilla_logincookie and Bugzilla_login.

The ip-address does not provide any protection, if Bugzilla is setup behind a
reversed proxy. There are at least two large ISP in this area which force their
customers to use a proxy for all connections to port 80 and 443.

The userid is not a secret. So the only protection is the content of
Bugzilla_logincookie, which is easily guessable (incremented by 1 on every login).

Reproducible: Always

Steps to Reproduce:
1. make sure you use the same ip-address to access Bugzilla as the victim (from
Bugzilla's point of view)
2. create a cookie called Bugzilla_login with the victims userid
3. decrement the value of your last Bugzilla_logincookie
4. visit bugzilla web page
5. repeat 3-4 until you get access

Actual Results:  
getting access to the victims account

Expected Results:  
Bugzilla should use an unguessable random string as session-id.

Comment 1

[Marc Schumann [:Wurblzap]]

Duplicate of bug 119524?

Comment 2

[Dave Miller [:justdave]]

Removing the security flag, not because this isn't a security issue, but because
it's a well known issue that isn't worth hiding because it's essentially already
been publicly disclosed.

It's also a dupe (marking as such).

*** This bug has been marked as a duplicate of 119524 ***

*** This bug has been marked as a duplicate of 119524 ***