775968 - Username Enumeration via request.cgi 'requester' parameter

Status: RESOLVED WORKSFORME

(Bugzilla :: Attachments & Requests, defect)

Description

[AjaySinghNegi]

Attachment: Username Enumeration on bugzilla.mozilla.org-request.cgi page & requester parameter.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

The application reveals when a username already exists on the system. In this case, a forgot password page which, when submitting wrong credentials, will specifically inform the user (and attackers) whether the entered username is already present on the system or not.



Actual results:

I have found that there is Username Enumeration Vulnerability on https://bugzilla.mozilla.org website.


Vulnerability Regeneration Steps:

Open the below mentioned link without login with the valid user id in the requester parameter the error msg will like below, 

which is different when we try a invalid user on the requester parameter. So, we can say that there is username enumeration 

vulnerability.



Url with valid user id:

https://bugzilla.mozilla.org/request.cgi?requester=ajaysinghnegi01@gmail.com


Displayed Error Message Using Valid user id:


Bugzilla@Mozilla – Request Queue
 
When you are logged in, only requests made by you or addressed to you are shown by default. You can change the criteria using 

the form below. When you are logged out, all pending requests that are not restricted to some group are shown by default. 




Url with invalid user id:

https://bugzilla.mozilla.org/request.cgi?requester=test@gmail.com


Displayed Error Message Using invalid user id:


Bugzilla@Mozilla – Match Failed
 
Bugzilla was unable to make any match at all for one or more of the names and/or email addresses you entered on the previous 

page. Note: You are currently logged out. Only exact matches against e-mail addresses will be performed. 

Please go back and try other names or email addresses.

Requester:  test@gmail.com did not match anything


Expected results:

Always issue common failure messages after each unsuccessful login attempts. It is recommended to make failure and successful message common to something like "An email has been sent to your email address with the instructions to reset your password." The message should remain same irrespective whether the username exist into the system or not.

Comment 1

[Gervase Markham [:gerv]]

This is not a username enumeration bug - that would suggest that someone could enumerate (get a list of) all users on the system. It's a username oracle bug - the page can be used as an oracle to determine if a given username the attacker already knows is valid or not.

This is possible using other mechanisms to a fairly high degree of accuracy too. If you do a bug search for the username and tick all the boxes (reporter, commenter, assignee, QA contact) and get back no results, then the person does not have an account, or their account has never been used for anything. If you get back one or more results, then the account clearly exists.

So the question is: do we consider this a problem?

Gerv

Comment 2

[Reed Loden [:reed]]

As per the discussion in bug 670887, this type of issue isn't considered security-sensitive.

Comment 3

[Frédéric Buclin]

This is not a bug as gerv said in comment 1. Bugzilla lets you enable the requirelogin parameter to force users to log in before being able to use Bugzilla if such a minor issue is a problem for your installation.