Status

()

bugzilla.mozilla.org
General
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: Anas Roubi, Unassigned, NeedInfo)

Tracking

Production

Details

Attachments

(2 attachments)

7.25 KB, image/gif
Details
421 bytes, image/svg+xml
Details
(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160606113944

Steps to reproduce:

CSRF test


Actual results:

CSRF test


Expected results:

CSRF test
(Reporter)

Comment 1

a year ago
Created attachment 8775640 [details]
upload
(Reporter)

Comment 2

a year ago
Created attachment 8775643 [details]
eeee
(Reporter)

Comment 3

a year ago
Sorry for that i just want to report a CRITICAL IDOR vulnerability 

This IDOR can make me see  attachments from privet reports by going to 
https://bugzilla.mozilla.org/attachment.cgi?id=<any-7-noms-her>

by this ill will be able to go into open reports and see the attachments and may find some vulns there and use it 

Sorry again and thanks for your time :)
Hi, where is the vulnerability? Please provide more info by giving us an example, thank you.
Flags: needinfo?(anasroubi)
Most of our bugs are public, and thus the attachments are as well. If you stumble on an attachment number that belongs to a private bug you will get an error page saying you don't have access permission.

If you do hit a public attachment you'll notice that it redirects to https://bugXXXXXXX.bmoattachments.org/ so that every bug is its own domain and the whole collection is not a subdomain of .mozilla.org so you can't try any useful XSS or cookie fixation attacks.

Please do not test/play in our active database; we have test systems set up on https://landfill.bugzilla.org (although those don't have a separate attachment host).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Component: Untriaged → General
Product: Firefox → bugzilla.mozilla.org
Resolution: --- → INVALID
Version: 47 Branch → Production
You need to log in before you can comment on or make changes to this bug.