User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) It is possible to get access to the session of other users because the content of Bugzilla_logincookie is easily guessable. On login Bugzilla create a new row in logincookies containing an auto incremented cookie (number), the userid and ipaddress. The first two parameter are store in cookies named Bugzilla_logincookie and Bugzilla_login. The ip-address does not provide any protection, if Bugzilla is setup behind a reversed proxy. There are at least two large ISP in this area which force their customers to use a proxy for all connections to port 80 and 443. The userid is not a secret. So the only protection is the content of Bugzilla_logincookie, which is easily guessable (incremented by 1 on every login). Reproducible: Always Steps to Reproduce: 1. make sure you use the same ip-address to access Bugzilla as the victim (from Bugzilla's point of view) 2. create a cookie called Bugzilla_login with the victims userid 3. decrement the value of your last Bugzilla_logincookie 4. visit bugzilla web page 5. repeat 3-4 until you get access Actual Results: getting access to the victims account Expected Results: Bugzilla should use an unguessable random string as session-id.
Duplicate of bug 119524?
Removing the security flag, not because this isn't a security issue, but because it's a well known issue that isn't worth hiding because it's essentially already been publicly disclosed. It's also a dupe (marking as such). *** This bug has been marked as a duplicate of 119524 *** *** This bug has been marked as a duplicate of 119524 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.