Closed Bug 291824 Opened 19 years ago Closed 19 years ago

Username and Password exposed in URL for tabular reports

Categories

(Bugzilla :: Reporting/Charting, defect)

Product:
Bugzilla
Component:
Reporting/Charting
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 287436

People

(Reporter: rhome, Assigned: gerv)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

In certain situations, the username and password are exposed on the URL in
tabular reports.  This appears to be similar to Bug 235510, but I just
reproduced it minutes ago at http://landfill.bugzilla.org/bugzilla-tip/


Reproducible: Always

Steps to Reproduce:
1. Log in to Bugzilla
2. Create a Tabular Report
3. Bookmark the link to the report
4. Log out of Bugzilla
5. Go to the Bookmark (This should take you to the login screen)
6. Log in to Bugzilla

Actual Results:  
If you click on any of the hyperlinked numbers in the tabular report, those
links will contain the username and password exposed in the URL.

Expected Results:  
Don't pass the username/password in the URL.

I am clicking the security checkbox. I don't know how serious of a threat this
actually is, but easier to let the cat out of the bag than to put it back in.

*** This bug has been marked as a duplicate of 287436 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
The bug this is duplicate of is no longer secured, so unsecuring this one.
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.