Closed
Bug 1157395
Opened 9 years ago
Closed 9 years ago
CSRF in log in form
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: netfuzzerr, Assigned: dkl)
Details
(Keywords: sec-low)
Attachments
(1 file, 1 obsolete file)
|
11.08 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 Steps to reproduce: Hi, It seems CSRF login that had been reported a long time ago: https://bugzilla.mozilla.org/show_bug.cgi?id=713926 Is this an intentional behaviour?? This vulnerability could allow attackers to unlog logged users and log into attacker's account, through this trick, victim will think she's still logged in her account then possibly report a security bug while logged in attacker's account. Poc: https://bugzilla.mozilla.org/index.cgi?Bugzilla_login=netfuzzer%40yandex.com&Bugzilla_password=Mariogomes11&Bugzilla_remember=on&GoAheadAndLogIn=Log+in Cheers, Mario
|
Reporter | |
Comment 1•9 years ago
|
||
Hi, It seems CSRF login that had been reported a long time ago: https://bugzilla.mozilla.org/show_bug.cgi?id=713926 It is still working. Is this an intentional behaviour?? This vulnerability could allow attackers to unlog logged users and log into attacker's account, through this trick, victim will think she's still logged in her account then possibly report a security bug while logged in attacker's account. Poc: https://bugzilla.mozilla.org/index.cgi?Bugzilla_login=netfuzzer%40yandex.com&Bugzilla_password=Mariogomes11&Bugzilla_remember=on&GoAheadAndLogIn=Log+in Cheers, Mario
|
||
Comment 2•9 years ago
|
||
We said in the security advisory that the CSRF protection was not backported to 4.2 and 4.0 on purpose. Mozilla Bugzilla is still running 4.2.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
Assignee | |
Comment 3•9 years ago
|
||
We did backport it though to bmo/4.2 https://git.mozilla.org/?p=webtools/bmo/bugzilla.git;a=commitdiff;h=4e1941f [github] So why is this til failing to protect against csrf? Investigating.
Assignee: general → nobody
Group: bugzilla-security
Status: RESOLVED → REOPENED
Component: Bugzilla-General → General
Ever confirmed: true
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Resolution: INVALID → ---
Version: unspecified → Production
gah, bug 1090427 was backed out in bug 1093622, but wasn't put back when that bug was wontfix'ed. dkl, the backport patch no longer applies, are you able to update that patch and attach it here for a quick re-review?
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #4) > gah, bug 1090427 was backed out in bug 1093622, but wasn't put back when > that bug was wontfix'ed. > dkl, the backport patch no longer applies, are you able to update that patch > and attach it here for a quick re-review? Yeah. Will do this first thing. dkl
Assignee: nobody → dkl
Status: REOPENED → ASSIGNED
|
|
Reporter | |
Comment 6•9 years ago
|
||
Is there any chance this bug be eligible for a bug bounty?
(In reply to Mario Gomes"''><Img src=x onerror=prompt();> from comment #6) > Is there any chance this bug be eligible for a bug bounty? probably not -- the bug 713926 is marked as sec-low. but i'll leave it up to the security team to decide.
Flags: sec-bounty?
|
|
Reporter | |
Comment 8•9 years ago
|
||
Yea - I noticed that. I'll have to find something more interesting! (In reply to Byron Jones ‹:glob› from comment #7) > probably not -- the bug 713926 is marked as sec-low. > but i'll leave it up to the security team to decide.
|
|
Assignee | |
Comment 9•9 years ago
|
||
Attachment #8596575 -
Flags: review?(glob)
|
|
Assignee | |
Comment 10•9 years ago
|
||
Comment on attachment 8596575 [details] [diff] [review] 1157395_1.patch Need new patch that incorporates fixes from bug 1001497 and bug 1132887.
Attachment #8596575 -
Attachment is obsolete: true
Attachment #8596575 -
Flags: review?(glob)
|
|
Assignee | |
Comment 11•9 years ago
|
||
Attachment #8596581 -
Flags: review?(glob)
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8596581 [details] [diff] [review] 1157395_2.patch Review of attachment 8596581 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8596581 -
Flags: review?(glob) → review+
|
|
Assignee | |
Comment 13•9 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git ed92da4..283be21 master -> master
Status: ASSIGNED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
|
||
Comment 14•9 years ago
|
||
We need a security rating on this. Can you suggest a rating for it?
Flags: needinfo?(dkl)
|
|
Reporter | |
Comment 16•9 years ago
|
||
Any updates related bug bounty decision ??
|
|
||
Comment 17•9 years ago
|
||
No. It was discussed at the bounty meeting today but we have not reached a final decision.
|
|
||
Comment 18•9 years ago
|
||
(In reply to David Lawrence [:dkl] from comment #15) > sec-low Can you give the rationale for why this is a sec-low?
Flags: needinfo?(dkl)
|
|
Assignee | |
Comment 19•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #18) > (In reply to David Lawrence [:dkl] from comment #15) > > sec-low > > Can you give the rationale for why this is a sec-low? Since this was a dupe of bug 713926 that was simply backported to BMO, I assumed it would have the same level of impact. We actually had this applied at one point but it broken one of our critical tools so was backed out. dkl
Flags: needinfo?(dkl)
|
|
Reporter | |
Comment 20•9 years ago
|
||
So... still not having the final decision related to bounty award ??
|
|
||
Comment 21•9 years ago
|
||
(In reply to Mario Gomes from comment #20) > So... still not having the final decision related to bounty award ?? It is minused for bounty. As a sec-low severity issue, it isn't eligible.
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•