Closed Bug 1157395 Opened 10 years ago Closed 10 years ago

CSRF in log in form

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: netfuzzerr, Assigned: dkl)

Details

(Keywords: reporter-external, sec-low)

Attachments

(1 file, 1 obsolete file)

1157395_2.patch
11.08 KB, patch
glob
: review+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 Steps to reproduce: Hi, It seems CSRF login that had been reported a long time ago: https://bugzilla.mozilla.org/show_bug.cgi?id=713926 Is this an intentional behaviour?? This vulnerability could allow attackers to unlog logged users and log into attacker's account, through this trick, victim will think she's still logged in her account then possibly report a security bug while logged in attacker's account. Poc: https://bugzilla.mozilla.org/index.cgi?Bugzilla_login=netfuzzer%40yandex.com&Bugzilla_password=Mariogomes11&Bugzilla_remember=on&GoAheadAndLogIn=Log+in Cheers, Mario
Hi, It seems CSRF login that had been reported a long time ago: https://bugzilla.mozilla.org/show_bug.cgi?id=713926 It is still working. Is this an intentional behaviour?? This vulnerability could allow attackers to unlog logged users and log into attacker's account, through this trick, victim will think she's still logged in her account then possibly report a security bug while logged in attacker's account. Poc: https://bugzilla.mozilla.org/index.cgi?Bugzilla_login=netfuzzer%40yandex.com&Bugzilla_password=Mariogomes11&Bugzilla_remember=on&GoAheadAndLogIn=Log+in Cheers, Mario
We said in the security advisory that the CSRF protection was not backported to 4.2 and 4.0 on purpose. Mozilla Bugzilla is still running 4.2.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
We did backport it though to bmo/4.2 https://git.mozilla.org/?p=webtools/bmo/bugzilla.git;a=commitdiff;h=4e1941f [github] So why is this til failing to protect against csrf? Investigating.
Assignee: general → nobody
Group: bugzilla-security
Status: RESOLVED → REOPENED
Component: Bugzilla-General → General
Ever confirmed: true
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Resolution: INVALID → ---
Version: unspecified → Production
gah, bug 1090427 was backed out in bug 1093622, but wasn't put back when that bug was wontfix'ed. dkl, the backport patch no longer applies, are you able to update that patch and attach it here for a quick re-review?
(In reply to Byron Jones ‹:glob› from comment #4) > gah, bug 1090427 was backed out in bug 1093622, but wasn't put back when > that bug was wontfix'ed. > dkl, the backport patch no longer applies, are you able to update that patch > and attach it here for a quick re-review? Yeah. Will do this first thing. dkl
Assignee: nobody → dkl
Status: REOPENED → ASSIGNED
Is there any chance this bug be eligible for a bug bounty?
(In reply to Mario Gomes"''><Img src=x onerror=prompt();> from comment #6) > Is there any chance this bug be eligible for a bug bounty? probably not -- the bug 713926 is marked as sec-low. but i'll leave it up to the security team to decide.
Flags: sec-bounty?
Yea - I noticed that. I'll have to find something more interesting! (In reply to Byron Jones ‹:glob› from comment #7) > probably not -- the bug 713926 is marked as sec-low. > but i'll leave it up to the security team to decide.
Attached patch 1157395_1.patch (obsolete) — Splinter Review
Attachment #8596575 - Flags: review?(glob)
Comment on attachment 8596575 [details] [diff] [review] 1157395_1.patch Need new patch that incorporates fixes from bug 1001497 and bug 1132887.
Attachment #8596575 - Attachment is obsolete: true
Attachment #8596575 - Flags: review?(glob)
Attached patch 1157395_2.patchSplinter Review
Attachment #8596581 - Flags: review?(glob)
Comment on attachment 8596581 [details] [diff] [review] 1157395_2.patch Review of attachment 8596581 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8596581 - Flags: review?(glob) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git ed92da4..283be21 master -> master
Status: ASSIGNED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
We need a security rating on this. Can you suggest a rating for it?
Flags: needinfo?(dkl)
sec-low
Flags: needinfo?(dkl)
Group: bugzilla-security
Any updates related bug bounty decision ??
No. It was discussed at the bounty meeting today but we have not reached a final decision.
(In reply to David Lawrence [:dkl] from comment #15) > sec-low Can you give the rationale for why this is a sec-low?
Flags: needinfo?(dkl)
(In reply to Al Billings [:abillings] from comment #18) > (In reply to David Lawrence [:dkl] from comment #15) > > sec-low > > Can you give the rationale for why this is a sec-low? Since this was a dupe of bug 713926 that was simply backported to BMO, I assumed it would have the same level of impact. We actually had this applied at one point but it broken one of our critical tools so was backed out. dkl
Flags: needinfo?(dkl)
So... still not having the final decision related to bounty award ??
(In reply to Mario Gomes from comment #20) > So... still not having the final decision related to bounty award ?? It is minused for bounty. As a sec-low severity issue, it isn't eligible.
Flags: sec-bounty? → sec-bounty-
Keywords: reporter-external
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: