948804 - Cross Site Request Forgery on Bugzilla add CC'd Email on list.

Status: RESOLVED INVALID

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[Jordi Chancel]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131112160018

Steps to reproduce:

We can add an email at the cc'd list by a CSRF on Bugzilla.mozilla.org
(see videoexample and testcase1)


Actual results:

Email is added at the cc'd list on the bugzilla id CC list.


Expected results:

external user can view the bug when his mail was added by CSRF on the CC LIST.

Comment 1

[Jordi Chancel]

Attachment: show_bug3 click save change.html

click "save change"

Comment 2

[Jordi Chancel]

Attachment: show_bug3.html.zip

you need execute the html file localy for the test.

Comment 3

[:glob ✱]

the update token is validated before any changes are applied.

the attached POC results in:

> You submitted changes to process_bug.cgi with an invalid token, which may indicate that someone
> tried to abuse you, for instance by making you click on a URL which redirected you here without
> your consent.
> 
> Are you sure you want to commit these changes?

by saving a page created for your account, the token is valid when your user submits that update, even from a locally saved page. however as tokens are bound to the user, it won't be valid for anyone else.