User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160606113944 Steps to reproduce: CSRF test Actual results: CSRF test Expected results: CSRF test
Sorry for that i just want to report a CRITICAL IDOR vulnerability This IDOR can make me see attachments from privet reports by going to https://bugzilla.mozilla.org/attachment.cgi?id=<any-7-noms-her> by this ill will be able to go into open reports and see the attachments and may find some vulns there and use it Sorry again and thanks for your time :)
Hi, where is the vulnerability? Please provide more info by giving us an example, thank you.
Most of our bugs are public, and thus the attachments are as well. If you stumble on an attachment number that belongs to a private bug you will get an error page saying you don't have access permission. If you do hit a public attachment you'll notice that it redirects to https://bugXXXXXXX.bmoattachments.org/ so that every bug is its own domain and the whole collection is not a subdomain of .mozilla.org so you can't try any useful XSS or cookie fixation attacks. Please do not test/play in our active database; we have test systems set up on https://landfill.bugzilla.org (although those don't have a separate attachment host).