Closed Bug 621104 Opened 14 years ago Closed 14 years ago

[SECURITY] User preferences pages lack CSRF protection

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
3.6.3
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 472362

People

(Reporter: reed, Unassigned)

Details

userprefs.cgi doesn't have any CSRF protection at all. This was discussed in bug 26257, comment #124 and following, but it was never implemented (nor was a bug filed to track its implementation). This is fairly bad, as I can think of a good number of things that an attacker can do to cause problems for a user.
I'm pretty sure that this is a duplicate.
(In reply to comment #1) > I'm pretty sure that this is a duplicate. I just looked through a list of every bug under User Accounts, and I didn't see anything that looked like this...
We fixed this bug almost 2 years ago.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Target Milestone: Bugzilla 3.2 → ---
Group: bugzilla-security
Indeed. Not sure how I missed that when reading the code. My apologies.
Whiteboard: [infrasec:csrf][ws:critical]
You need to log in before you can comment on or make changes to this bug.