Closed
Bug 808566
Opened 12 years ago
Closed 10 years ago
missing CSRF protection on bedrock newsletter forms
Categories
(www.mozilla.org :: Bedrock, defect, P4)
www.mozilla.org
Bedrock
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: curtisk, Unassigned)
References
()
Details
(Keywords: sec-low, wsec-csrf)
Input Fields • newsletter-footer [Hidden] • newsletter [Hidden] • email [Text] • fmt [Radio] • privacy [Checkbox]
Updated•12 years ago
|
Component: other.mozilla.org → General
Product: Websites → www.mozilla.org
Updated•12 years ago
|
Group: websites-security
Reporter | ||
Updated•12 years ago
|
Summary: Missing CSRF protections on apps → possible missing CSRF protections on apps
Comment 2•11 years ago
|
||
http://www.mozilla.org/en-US/firefox/technology/ also needs CSRF protection, and probably a bunch of other pages that use the newsletter form too.
Summary: possible missing CSRF protections on apps → missing CSRF protection on bedrock newsletter forms
Updated•11 years ago
|
Priority: -- → P4
Updated•11 years ago
|
Keywords: sec-moderate → sec-low
Updated•11 years ago
|
Component: General → Bedrock
Comment 6•10 years ago
|
||
There is no authentication or user session cookie associated with any of the pages that host the newsletter forms on bedrock, so no CSRF attacks are possible.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 7•10 years ago
|
||
I agree there are no significant attacks possible due to this bug, so we shouldn't spend any time fixing it. Someone from security is free to reopen if they disagree.
Resolution: FIXED → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•