Bugzilla doesn't prevent local links to be used to log in

UNCONFIRMED
Unassigned

Status

()

Bugzilla
User Accounts
--
minor
UNCONFIRMED
3 years ago
2 years ago

People

(Reporter: x, Unassigned)

Tracking

Details

Attachments

(1 attachment)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2267.0 Safari/537.36

Steps to reproduce:

Hi,

Csrf in login still possible if a user clicks on a link which is hosted in bugzilla mains domain then while doing the login the page will check the 'referer' header.

Reproduce:
1. go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=24457 while YOU ARE NOT LOGGED IN LANDFILL
2. after that, click in the link on the bug's title.
3. noticed that you're now logged in landfill.

Cheers,

Comment 1

3 years ago
This is not a cross-site vulnerability as the link you click must belong to the same domain as Bugzilla itself. This isn't a security bug either as we explicitly whitelist local URLs:

  # Else falls back to the Referer header and accept local URLs.
Assignee: general → user-accounts
Group: bugzilla-security
Severity: normal → minor
Component: Bugzilla-General → User Accounts
Summary: csrf login still possible if clicked from a bug → Bugzilla doesn't prevent local links to be used to log in
Updates?

Comment 3

2 years ago
(In reply to Mario Gomes from comment #2)
> Updates?

Updates on what exactly? Do you have a specific question? Generally speaking: Nothing has happened here yet, otherwise it would be written in this task. :)
Comment hidden (spam)
You need to log in before you can comment on or make changes to this bug.