Insecure Direct Object Reference
Categories
(bugzilla.mozilla.org :: Bug Creation/Editing, defect)
Tracking
()
People
(Reporter: fcleverx, Unassigned)
Details
Attachments
(1 file)
|
4.31 MB,
video/mp4
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Steps to reproduce:
1:- create an acount on bugzill.mozilla.org and report any bug
2:- you will be assign a your bug report reference number in your dashboard
3:- open that link from dashboard link look like (https://bugzilla.mozilla.org/show_bug.cgi?id=1646637)
4:- change the reference number with valid 7 digit number it will redirect you to the report filled but another user
Actual results:
I'm able to get the detail for bugs and that are not resolved yet because of Insecure Direct Object Reference, which disclose very sesitive or confidentail information
Expected results:
it must show the Access denied or page not found as I'm not an authorize person
its a critical as it voidig all three confidentaility ,intrigrity and availability of resource . As i can access the data ,I can edit that data ,and don't required any authorization.
|
||
Comment 1•5 years ago
|
||
This is not a security issue and is by design. You can type any bug number you want in the URL bar and see someone elses bug that they filed. Bugzilla will handle security for the bug if the bug is marked private and only specific people will be allowed to see it. If you type a bug number in the URL bar and you do not have permissions to see the bug, it will display an error page instead of the details of the bug. Most bugs in Bugzilla are publicly accessible and viewable by anyone. Only a small subset of bugs are private when the details need to remain confidential. Also anyone can comment on another bug if you are logged in with a valid Bugzilla account. You may not be able to edit other details of the bug though. Thanks for bringing this up and helping us out but this is not a security issue.
Description
•