User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131112160018 Steps to reproduce: We can add an email at the cc'd list by a CSRF on Bugzilla.mozilla.org (see videoexample and testcase1) Actual results: Email is added at the cc'd list on the bugzilla id CC list. Expected results: external user can view the bug when his mail was added by CSRF on the CC LIST.
Created attachment 8345707 [details] show_bug3.html.zip you need execute the html file localy for the test.
the update token is validated before any changes are applied. the attached POC results in: > You submitted changes to process_bug.cgi with an invalid token, which may indicate that someone > tried to abuse you, for instance by making you click on a URL which redirected you here without > your consent. > > Are you sure you want to commit these changes? by saving a page created for your account, the token is valid when your user submits that update, even from a locally saved page. however as tokens are bound to the user, it won't be valid for anyone else.