Closed
Bug 301058
Opened 19 years ago
Closed 19 years ago
session-id must not be guessable
Categories
(Bugzilla :: User Accounts, defect)
Bugzilla
User Accounts
Tracking
()
RESOLVED
DUPLICATE
of bug 119524
People
(Reporter: nhb_web, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) It is possible to get access to the session of other users because the content of Bugzilla_logincookie is easily guessable. On login Bugzilla create a new row in logincookies containing an auto incremented cookie (number), the userid and ipaddress. The first two parameter are store in cookies named Bugzilla_logincookie and Bugzilla_login. The ip-address does not provide any protection, if Bugzilla is setup behind a reversed proxy. There are at least two large ISP in this area which force their customers to use a proxy for all connections to port 80 and 443. The userid is not a secret. So the only protection is the content of Bugzilla_logincookie, which is easily guessable (incremented by 1 on every login). Reproducible: Always Steps to Reproduce: 1. make sure you use the same ip-address to access Bugzilla as the victim (from Bugzilla's point of view) 2. create a cookie called Bugzilla_login with the victims userid 3. decrement the value of your last Bugzilla_logincookie 4. visit bugzilla web page 5. repeat 3-4 until you get access Actual Results: getting access to the victims account Expected Results: Bugzilla should use an unguessable random string as session-id.
Comment 1•19 years ago
|
||
Duplicate of bug 119524?
Comment 2•19 years ago
|
||
Removing the security flag, not because this isn't a security issue, but because it's a well known issue that isn't worth hiding because it's essentially already been publicly disclosed. It's also a dupe (marking as such). *** This bug has been marked as a duplicate of 119524 *** *** This bug has been marked as a duplicate of 119524 ***
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•