Cross Site Request Forgery on Bugzilla add CC'd Email on list.

RESOLVED INVALID

Status

()

Bugzilla
Creating/Changing Bugs
RESOLVED INVALID
4 years ago
3 years ago

People

(Reporter: Jordi Chancel, Unassigned)

Tracking

Bug Flags:
sec-bounty -

Details

Attachments

(1 attachment, 1 obsolete attachment)

18.27 KB, application/java-archive
Details
(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131112160018

Steps to reproduce:

We can add an email at the cc'd list by a CSRF on Bugzilla.mozilla.org
(see videoexample and testcase1)


Actual results:

Email is added at the cc'd list on the bugzilla id CC list.


Expected results:

external user can view the bug when his mail was added by CSRF on the CC LIST.
(Reporter)

Comment 1

4 years ago
Created attachment 8345701 [details]
show_bug3 click save change.html

click "save change"
Assignee: nobody → create-and-change
Component: General → Creating/Changing Bugs
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → 4.2.7
(Reporter)

Comment 2

4 years ago
Created attachment 8345707 [details]
show_bug3.html.zip

you need execute the html file localy for the test.
Attachment #8345701 - Attachment is obsolete: true
the update token is validated before any changes are applied.

the attached POC results in:

> You submitted changes to process_bug.cgi with an invalid token, which may indicate that someone
> tried to abuse you, for instance by making you click on a URL which redirected you here without
> your consent.
> 
> Are you sure you want to commit these changes?

by saving a page created for your account, the token is valid when your user submits that update, even from a locally saved page. however as tokens are bound to the user, it won't be valid for anyone else.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
Attachment #8345707 - Attachment mime type: application/zip → application/java-archive
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.