Closed Bug 776273 Opened 13 years ago Closed 13 years ago

Username Enumeration Vulnerability on bugzilla.mozilla.org-token.cgi page & username parameter

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 670887

People

(Reporter: ajaysinghnegi01, Unassigned)

Details

(Keywords: sec-low)

Attachments

(1 file)

Username Enumeration Vulnerability on bugzilla.mozilla.org-token.cgi page & username parameter POC.jpg
258.18 KB, image/jpeg
Details
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Build ID: 20100401080539 Steps to reproduce: Vulnerability Regeneration Steps: Open the below mentioned link without login with the valid user id in the username parameter the error msg will like below, which is different when we try a invalid user on the username parameter. So, we can say that there is username enumeration vulnerability. Url with valid user id: https://bugzilla.mozilla.org/token.cgi?a=reqpw&oginname=ajaysinghnegi01@gmail.com Displayed Error Message Using Valid user id: Bugzilla@Mozilla – Request to Change Password A token for changing your password has been emailed to you. Follow the instructions in that email to change your password. Url with invalid user id: https://bugzilla.mozilla.org/token.cgi?a=reqpw&loginname=test@gmail.com Displayed Error Message Using invalid user id: Bugzilla@Mozilla – Invalid User There is no user named 'test@gmail.com'. Either you mis-typed the name or that user has not yet registered for a Bugzilla account. Actual results: Actual results: I have found that there is Username Enumeration Vulnerability on https://bugzilla.mozilla.org websites https://bugzilla.mozilla.org/token.cgi?a=reqpw&loginname= page through which an attacker 100% accurately gets the valid user ids. Url with valid user id: https://bugzilla.mozilla.org/token.cgi?a=reqpw&oginname=ajaysinghnegi01@gmail.com Displayed Error Message Using Valid user id: Bugzilla@Mozilla – Request to Change Password A token for changing your password has been emailed to you. Follow the instructions in that email to change your password. Url with invalid user id: https://bugzilla.mozilla.org/token.cgi?a=reqpw&loginname=test@gmail.com Displayed Error Message Using invalid user id: Bugzilla@Mozilla – Invalid User There is no user named 'test@gmail.com'. Either you mis-typed the name or that user has not yet registered for a Bugzilla account. The application reveals when a username already exists on the system. In this case, a forgot password page which, when submitting wrong credentials, will specifically inform the user (and attackers) whether the entered username is already present on the system or not. Expected results: Always issue common failure messages on forget password page using valid and invalid user ids. It is recommended to make failure and successful message common to something like "An email has been sent to your email address with the instructions to reset your password." The message should remain same irrespective whether the username exist into the system or not.
Effectively a dupe of bug 670887, comment #1. Not security-sensitive.
Assignee: general → user-accounts
Group: bugzilla-security
Component: Bugzilla-General → User Accounts
Keywords: sec-low
Severity: normal → minor
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: