Closed Bug 363494 Opened 18 years ago Closed 18 years ago

bugzilla allows unauthorized creation of user accounts.

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: i440r, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 This is for bugzilla version 2.20 which isnt the latest but isnt that old either I dont believe. Anyway, I believe there is a security flaw in the user account creation mechanism that will allow anyone to create an account on any bugzilla system even if the administrator has not authorized the account. I looked to see if this bug had already been reported but was not able to see anything similar. See "steps to reproduce" for details. Reproducible: Always Steps to Reproduce: 1. Email bugzilla requesting an account and wait for auto reply 2. Email bugzilla requesting change of password 3. log in using password auto generated by bugzilla
Step 2 is useless. If the user account creation is accepted, you get an email with the password in it. No need to change it. And that's simply the right way to create an account on a Bugzilla installation. There is no security hole here. If Bugzilla rejected your user account creation, no mail would be sent.
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
This assumes taht bugzilla has been configured to automatically accept account requests. What if an account requires authorization from the administrator first?
Administrators decide who is allowed to self-register thanks to the createemailregexp parameter: editparams.cgi?section=auth#createemailregexp. See also http://www.bugzilla.org/docs/tip/html/useradmin.html#manageusers for the documentation.
And the administrator of the system I am using has decided NOBODY may self register and that all registrations are required to go through HIM. While he was away on vaction I self registered using the aforementioned method which my boss told me to use as a backdoor. If this truly is a "sys admin who doesnt know how to configure the system right" sort of problem I guess ill shut up now :)
Yeah, if you want to completely disable self-registration, all you have to do is to leave the 'createemailregexp' parameter blank. By default, it's set to ".*", which means "no restriction". Sorry! :)
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.