Yuyang: can you help me understand what an attacker can do with this or provide a PoC that demonstrates the vulnerability?
people.mozilla.org is not part of our bounty program because it's used for developers sharing experiments and tests. Content there is of variable quality and given the same-origin policy (a flaw in one employee's files puts them all at risk) our policy is not to put sensitive data on that server. This report does, however, point out a potential problem: mwargers is no longer an employee, and in the past we removed these files when people left (with exceptions -- some people's files were preserved because others relied on their testcases). Jeff: were mwargers' people.m.o files left active on purpose or has the auto-cleanup process broken down?
Status: UNCONFIRMED → NEW
Ever confirmed: true
:digi - do you know anything about this nuking process of old content from people.mo when people leave Mozilla? From the sounds of it, this content should have been removed when mwargers left Mozilla.
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #4) > :digi - do you know anything about this nuking process of old content from > people.mo when people leave Mozilla? From the sounds of it, this content > should have been removed when mwargers left Mozilla. Ah, this is a bug. Since people moved to C7 the system account uid threshold is 1000 vs 500 on R6. Puppet wont purge system users. mwargers's uid was 664, so despite being disabled his account wasn't automatically purged from people. It's a known issue and we did renumber folks in IT to avoid this very problem but as you can see other employees are effected. The UID_MIN issue can be tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=1243727. Getting all these folks changed is non-trivial, but, I think I have a workaround. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1302426 to track the implementation of that This would of been caught in the exit checklist if the user were in IT, but, we don't have a SOP for non-IT exits. EUS handles those. The URL has been taken down.
:digi - you're awesome, thank you! Yuyang - thanks again for the heads up on this!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Not an eligible site for bounty.
Flags: sec-bounty? → sec-bounty-
Keywords: sec-low, wsec-xss
You need to log in before you can comment on or make changes to this bug.