Status

()

--
minor
RESOLVED WONTFIX
6 years ago
4 years ago

People

(Reporter: laurens.bal, Unassigned)

Tracking

({sec-low, wsec-csrf})

4.2.1
sec-low, wsec-csrf

Details

Attachments

(1 attachment)

Poc
92 bytes, text/plain
Details
(Reporter)

Description

6 years ago
I was able to perform a csrf vulnerability to log out a user.
The logout proces should have a token to prevent this.

Laurens,
(Reporter)

Comment 1

6 years ago
Created attachment 636084 [details]
Poc
Assignee: nobody → user-accounts
Component: General → User Accounts
OS: Windows 7 → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: general → default-qa
Hardware: x86_64 → All
Version: Production → 4.2.1

Comment 2

6 years ago
I really don't want a token to log out a user. This process must remain simple. You cannot do any harm anyway. This may be annoying if someone abuses this, but harmless.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
Keywords: sec-low, wsec-csrf
You need to log in before you can comment on or make changes to this bug.