Closed
Bug 619999
Opened 14 years ago
Closed 14 years ago
Complete database dump disclosure - addons.mozilla.com
Categories
(Websites :: other.mozilla.org, defect, P1)
Websites
other.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: blair-witch, Unassigned)
References
()
Details
(Keywords: sec-critical, wsec-disclosure, Whiteboard: [infrasec:other][ws:critical])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 Build Identifier: I have been looking around a bit again because of the Mozilla security bounty program. I dug a little deeper now after finding this: https://bugzilla.mozilla.org/show_bug.cgi?id=619702 This time it's a little bit more serious. In fact, this time it is a major fuckup I guess. Looking at the url above, you will find a complete mysql dump of remora, including email addresses and password hashes (even md5s) for addons.mozilla.com. You should fix this NOW! I just found it via google. Maybe you should think about some kind of policy for the guys under people.mozilla.com. This will not be the fix, but maybe it will sensitize some of the guys not uploading critical, productive data! I will contact security@mozilla.com about this referencing the bounty program. I have not and will not disclose any of the data in the dump. Reproducible: Always Steps to Reproduce: 1. visit url above Actual Results: total pwnage
Comment 1•14 years ago
|
||
Thanks. The file has been removed for now. We'll be in touch as to any bounty information.
Severity: critical → blocker
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Priority: -- → P1
Resolution: --- → FIXED
Whiteboard: [infrasec:other][ws:critical]
Updated•11 years ago
|
Flags: sec-bounty+
Updated•8 years ago
|
Keywords: sec-critical,
wsec-disclosure
Updated•7 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•