Closed
Bug 948804
Opened 11 years ago
Closed 11 years ago
Cross Site Request Forgery on Bugzilla add CC'd Email on list.
Categories
(Bugzilla :: Creating/Changing Bugs, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: jordi.chancel, Unassigned)
Details
Attachments
(1 file, 1 obsolete file)
18.27 KB,
application/java-archive
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131112160018 Steps to reproduce: We can add an email at the cc'd list by a CSRF on Bugzilla.mozilla.org (see videoexample and testcase1) Actual results: Email is added at the cc'd list on the bugzilla id CC list. Expected results: external user can view the bug when his mail was added by CSRF on the CC LIST.
Reporter | ||
Comment 1•11 years ago
|
||
click "save change"
Assignee: nobody → create-and-change
Component: General → Creating/Changing Bugs
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → 4.2.7
Reporter | ||
Comment 2•11 years ago
|
||
you need execute the html file localy for the test.
Attachment #8345701 -
Attachment is obsolete: true
the update token is validated before any changes are applied.
the attached POC results in:
> You submitted changes to process_bug.cgi with an invalid token, which may indicate that someone
> tried to abuse you, for instance by making you click on a URL which redirected you here without
> your consent.
>
> Are you sure you want to commit these changes?
by saving a page created for your account, the token is valid when your user submits that update, even from a locally saved page. however as tokens are bound to the user, it won't be valid for anyone else.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Updated•11 years ago
|
Attachment #8345707 -
Attachment mime type: application/zip → application/java-archive
Updated•11 years ago
|
Flags: sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•