session-id must not be guessable

RESOLVED DUPLICATE of bug 119524

Status

()

Bugzilla
User Accounts
--
critical
RESOLVED DUPLICATE of bug 119524
13 years ago
13 years ago

People

(Reporter: Hendrik Brummermann, Unassigned)

Tracking

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)

It is possible to get access to the session of other users because the content
of Bugzilla_logincookie is easily guessable.

On login Bugzilla create a new row in logincookies containing an auto
incremented cookie (number), the userid and ipaddress. The first two parameter
are store in cookies named Bugzilla_logincookie and Bugzilla_login.

The ip-address does not provide any protection, if Bugzilla is setup behind a
reversed proxy. There are at least two large ISP in this area which force their
customers to use a proxy for all connections to port 80 and 443.

The userid is not a secret. So the only protection is the content of
Bugzilla_logincookie, which is easily guessable (incremented by 1 on every login).

Reproducible: Always

Steps to Reproduce:
1. make sure you use the same ip-address to access Bugzilla as the victim (from
Bugzilla's point of view)
2. create a cookie called Bugzilla_login with the victims userid
3. decrement the value of your last Bugzilla_logincookie
4. visit bugzilla web page
5. repeat 3-4 until you get access

Actual Results:  
getting access to the victims account

Expected Results:  
Bugzilla should use an unguessable random string as session-id.
Duplicate of bug 119524?
Removing the security flag, not because this isn't a security issue, but because
it's a well known issue that isn't worth hiding because it's essentially already
been publicly disclosed.

It's also a dupe (marking as such).

*** This bug has been marked as a duplicate of 119524 ***

*** This bug has been marked as a duplicate of 119524 ***
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.