Closed Bug 251476 Opened 21 years ago Closed 21 years ago

Bugzilla passwords are sent unencrypted

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 58300

People

(Reporter: wtc, Assigned: endico)

Details

When we log in on bugzilla.mozilla.org, the browser does a POST on the URL http://bugzilla.mozilla.org/query.cgi. So our Bugzilla passwords are sent over the network unencrypted. This means an attacker can sniff the Bugzilla password of a Mozilla contributor who clearly must have the privilege to view security-sensitive bugs (for example, the mozilla.org drivers listed at the bottom of the Mozilla Development Roadmap page http://www.mozilla.org/roadmap.html, or members of the Mozilla Security Group listed at http://www.mozilla.org/projects/security/secgrouplist.html), log in on bugzilla.mozilla.org as that person, and gain access to security-sensitive bugs.
*** This bug has been marked as a duplicate of 58300 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.