User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko) SUSE Build Identifier: process_bug.cgi is still prone to cross site request forgery as it does not use a token like other pages (see also bug 281181). That means a specially crafted URL can for example remove the privacy flag or add random people to private bugs' CC. The problem was already mentioned in the long discussion around the quite old bug 26257 but not fixed in bugzilla 3.0.3 yet. I'd also like to inform vendor-sec about this problem as several distributions ship bugzilla packages. Reproducible: Always

This problem is known for a very long time. And as you said yourself, is already reported in bug 26257.

bug 281181 was not marked as duplicate but fixed as security issue. What about fixing this one as well?

(In reply to comment #2) > bug 281181 was not marked as duplicate but fixed as security issue. What about > fixing this one as well? Bug 281181 is not about process_bug.cgi, but about admin pages. So it isn't a duplicate as they are not talking about the same pages. About process_bug.cgi, we have to find a way which won't break applications which interact with it and which do not expect a token to be passed to it (such as email_in.pl). That's why it's not fixed yet. We first need to find the correct way to fix it.

This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.