Delete session tokens on logout




3 years ago
3 years ago


(Reporter: Narendra Bhati, Unassigned)





3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36

Steps to reproduce:

1. Login to bugzilla , intercept any request which have csrf tokens like , change your profile name request have csrf tokens,
Now create a CSRF html page like this
  <!-- CSRF PoC - generated by Burp Suite Professional -->
    <form action="" method="POST">
      <input type="hidden" name="tab" value="request&#95;nagging" />
      <input type="hidden" name="token" value="IQWcAynBCc" />
      <input type="hidden" name="request&#95;nagging" value="default" />
      <input type="hidden" name="add&#95;watching" value="bhati&#46;contact&#64;gmail&#46;com" />
      <input type="hidden" name="dosave" value="1" />
      <input type="submit" value="Submit request" />

Now logged out 
Now logged in again , As expected the CSRF tokens will be changed , 
But still the old CSRF tokens are working on same user which can leads to CSRF Attack if some how attacker got user CSRF tokens.

Actual results:

1. When user logged out and logged in again then the csrf tokens will changed due to security reasons but in Bugzilla this is not happening , 
Due to some mis-configuration , Old csrf tokens can be re-used on same user

Expected results:

1. If user logged out and logged in again , then old csrf tokens and new csrf tokens should be check at server side.

I noticed that after logged out and logged in , the csrf tokens are getting changed , but still old tokens can be re-used on Bugzilla user

Comment 1

3 years ago
Session tokens have a lifetime of 3 days, so you cannot reuse them indefinitely, which greatly reduces the risk to abuse the user. Heavy users of Bugzilla never log out, so deleting session tokens on logout wouldn't help to prevent the problem you describe. The tokens will simply expire after 3 days. But this is a reasonable request as a security improvement.
Group: bugzilla-security
Ever confirmed: true
Summary: Previous CSRF Token Can Be Re-Used → Delete session tokens on logout

Comment 2

3 years ago
Yaa , You are right 
But as per my observation its not working normally like other do
Like if user got logged out and he will try to re-used the previous tokens then he should not get authenticate in application, But in bugzilla its happening 
Will wait for your reply

Comment 3

3 years ago
And one more thing ,  I have reported two different vulnerabilities which totally different from each other

1. Session reused is a different vulnerability causing due to Session Cookies Re-Usable

2. CSRF Tokens Re-Used - This vulnerability only affecting the "CSRF TOkens" . The same CSRF tokens can be re-used on users , So this is only affecting CSRF Tokens not the whole Session Cookies
You need to log in before you can comment on or make changes to this bug.