Closed Bug 689175 Opened 13 years ago Closed 13 years ago

Anyone can edit bug CC:, add/remove/modify users on it

Categories

(Bugzilla :: Bugzilla-General, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: kurt, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Build ID: 20110902133214 Steps to reproduce: Went to bugzilla, choose random bug, added other people to CC: list, removed existing people from CC: list. Actual results: System allowed me to do this despite not owning the bug or having anything beyond a public account. Expected results: Ideally it should have prevented me from doing so. Spammers can use this to subscribe people to a bug and then add comments (the spam content) which would then be emailed out to users. A malicious attacker could write a script to crawl the bugzilla and remove everyone from CC: lists (meaning they'd have to go back in and manually add themselves which would be very annoying).
We want users to be able to CC other users. About removing users, you cannot do this anymore since Bugzilla 4.2, see bug 28849. Spammer accounts would be revoked if they tried to do so.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.